2 WANs for 2 Separated LANs RouterOS 7.11.3

RouterOS General
1

Hey Guys,

I’m trying to build 2 networks, each with its own WAN.
Each network should be separated, with no access to each other LAN or WAN.
I saw some topics already on the forum, but either they are on RouterOS 6 or the topology they try to create is different (i.e., failover Wan or shareable LAN)
Network 1 (“Building”): 192.168.1.X is connected with the DHCP Client (physically connected by ethernet port to a cable modem that is configurated as a bridge)
Network 2 (“Home”): 192.168.88.X is connected with PPPoE (physically connected by SFP+ to ethernet port to a fiber bride ONT with ethernet out)
I’m able to connect each network separately and also share one of the WANs between networks (either one of them but not both)

The problem: I cannot create the separation where each LAN is working only with its dedicated WAN, and each LAN does not access the other LAN.

Here is the configuration I’m using now:

# 2024-07-21 01:38:39 by RouterOS 7.11.3
# software id = 4LGQ-ZLD6
#
# model = CCR2116-12G-4S+
# serial number = ****
/interface bridge
add name="bridge1 - Building"
add name="bridge2 - Home"
/interface ethernet
set [ find default-name=ether1 ] name="ether1-WAN(Hot)"
set [ find default-name=ether2 ] name=ether2-Buidling-Switch
set [ find default-name=ether3 ] name=ether3-Buidling-PC
set [ find default-name=ether4 ] name=ether4-Buidling-NVR
set [ find default-name=ether5 ] name="ether5 - Home"
set [ find default-name=ether6 ] name="ether6 - Home"
set [ find default-name=ether7 ] name="ether7 - Home"
set [ find default-name=ether8 ] name="ether8 - Home"
set [ find default-name=ether9 ] name="ether9 - Home"
set [ find default-name=ether10 ] name="ether10 - Home"
set [ find default-name=ether11 ] name="ether11 - Home"
set [ find default-name=ether12 ] name="ether12 - Home"
set [ find default-name=ether13 ] name="ether13 - Home"
set [ find default-name=sfp-sfpplus1 ] auto-negotiation=no name=\
    "sfp-sfpplus1 - WAN (Bezeq)"
set [ find default-name=sfp-sfpplus2 ] auto-negotiation=no name=\
    "sfp-sfpplus2-Home-To Switch"
set [ find default-name=sfp-sfpplus3 ] auto-negotiation=no name=\
    sfp-sfpplus3-Home
set [ find default-name=sfp-sfpplus4 ] auto-negotiation=no name=\
    "sfp-sfpplus4-Home-10G PC"
/interface pppoe-client
add add-default-route=yes disabled=no interface="sfp-sfpplus1 - WAN (Bezeq)" \
    name=pppoe-out1-Bezeq user=****
/interface list
add name=LAN1
add name=LAN2
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool1 ranges=198.168.1.2-198.168.1.254
add name=dhcp_pool5 ranges=192.168.88.2-192.168.88.254
/ip dhcp-server
add address-pool=dhcp_pool1 interface="bridge1 - Building" name=dhcp1
add address-pool=dhcp_pool5 interface="bridge2 - Home" name=dhcp2
/port
set 0 name=serial0
/routing table
add disabled=no fib name=rtab-1
add disabled=no fib name=rtab-2
/interface bridge port
add bridge="bridge1 - Building" interface=ether2-Buidling-Switch
add bridge="bridge1 - Building" interface=ether3-Buidling-PC
add bridge="bridge1 - Building" interface=ether4-Buidling-NVR
add bridge="bridge2 - Home" interface="ether5 - Home"
add bridge="bridge2 - Home" interface="ether6 - Home"
add bridge="bridge2 - Home" interface="ether7 - Home"
add bridge="bridge2 - Home" interface="ether8 - Home"
add bridge="bridge2 - Home" interface="ether9 - Home"
add bridge="bridge2 - Home" interface="ether10 - Home"
add bridge="bridge2 - Home" interface="ether11 - Home"
add bridge="bridge2 - Home" interface="ether12 - Home"
add bridge="bridge2 - Home" interface="sfp-sfpplus2-Home-To Switch"
add bridge="bridge2 - Home" interface=sfp-sfpplus3-Home
add bridge="bridge2 - Home" interface="sfp-sfpplus4-Home-10G PC"
/interface list member
add interface="bridge1 - Building" list=LAN1
add interface="bridge2 - Home" list=LAN2
/ip address
add address=198.168.1.1/24 interface="bridge1 - Building" network=198.168.1.0
add address=192.168.88.1/24 interface="bridge2 - Home" network=192.168.88.0
/ip dhcp-client
add interface="ether1-WAN(Hot)"
/ip dhcp-server lease
add address=192.168.88.9 client-id=1:28:80:88:73:56:2c mac-address=\
    28:80:88:73:56:2C server=dhcp2
add address=192.168.88.8 client-id=1:98:b7:85:1f:ec:25 mac-address=\
    98:B7:85:1F:EC:25 server=dhcp2
add address=192.168.88.5 client-id=1:98:25:4a:24:d8:50 mac-address=\
    98:25:4A:24:D8:50 server=dhcp2
add address=192.168.88.7 client-id=1:b4:b0:24:2f:ef:ba mac-address=\
    B4:B0:24:2F:EF:BA server=dhcp2
add address=192.168.88.6 client-id=1:b4:b0:24:2f:ef:b8 mac-address=\
    B4:B0:24:2F:EF:B8 server=dhcp2
add address=192.168.88.4 client-id=1:5c:a6:e6:b7:70:25 mac-address=\
    5C:A6:E6:B7:70:25 server=dhcp2
/ip dhcp-server network
add address=192.168.88.0/24 gateway=192.168.88.1
add address=198.168.1.0/24 gateway=198.168.1.1
/ip firewall filter
add action=accept chain=input comment="accept established,related,untracked" \
    connection-state=established,related,untracked
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=accept chain=input comment="accept ICMP" in-interface=\
    pppoe-out1-Bezeq protocol=icmp
add action=accept chain=input comment="allow Winbox" in-interface=\
    pppoe-out1-Bezeq port=8291 protocol=tcp
add action=accept chain=input comment="allow SSH" in-interface=\
    pppoe-out1-Bezeq port=22 protocol=tcp
add action=drop chain=input comment="block everything else" in-interface=\
    pppoe-out1-Bezeq
add action=accept chain=input comment="accept ICMP" in-interface=\
    "ether1-WAN(Hot)" protocol=icmp
add action=accept chain=input comment="allow Winbox" in-interface=\
    "ether1-WAN(Hot)" port=8291 protocol=tcp
add action=accept chain=input comment="allow SSH" in-interface=\
    "ether1-WAN(Hot)" port=22 protocol=tcp
add action=drop chain=input comment="block everything else" in-interface=\
    "ether1-WAN(Hot)"
/ip firewall mangle
add action=mark-routing chain=prerouting new-routing-mark=rtab-1 passthrough=\
    no src-address=192.168.1.0/24
add action=mark-routing chain=prerouting new-routing-mark=rtab-2 passthrough=\
    no src-address=192.168.88.0/24
add action=accept chain=prerouting in-interface=pppoe-out1-Bezeq
add action=accept chain=prerouting in-interface="ether1-WAN(Hot)"
/ip firewall nat
add action=masquerade chain=srcnat out-interface="ether1-WAN(Hot)"
add action=masquerade chain=srcnat out-interface=pppoe-out1-Bezeq
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=100.94.144.1 routing-table=\
    rtab-1 suppress-hw-offload=no
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=pppoe-out1-Bezeq \
    pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
/system clock
set time-zone-name=America/New_York
/system note
set show-at-login=no
/system routerboard settings
set enter-setup-on=delete-key
/tool mac-server
set allowed-interface-list=LAN1
/tool mac-server mac-winbox
set allowed-interface-list=LAN1
2
  1. Your firewall filter is a self-hazard - better use the default one than this open door for attacks, malware and what not
  2. The accept mangle rules aren’t necessary
  3. You’re missing two routes:
/ip route
add dst-address=0.0.0.0/0 gateway=100.94.144.1 routing-table=main
add dst-address=0.0.0.0/0 gateway=pppoe-out1-Bezeq routing-table=rtab-2
  1. To drop traffic between the LANs:
/ip firewall filter
add action=drop chain=forward dst-address=192.168.88.0/24 src-address=192.168.1.0/24
add action=drop chain=forward dst-address=192.168.1.0/24 src-address=192.168.88.0/24
3

SINGLE BRIDGE - use VLANs. Vlans create quick separation at layer two and are easy with respect to clean firewall rules, and the use of drop all at the end of input and forward chains.
More importantly, you can easily add other subents for guest wifi, Iot or media devices that you dont want to access work or home user devices, or you want to share a printer for many etc…
Max flex!!! Changes mostly shown:

Off bridge on ether13 allows you to the router without being affected by any bridge or vlan errors and thus far less likely to get locked out. Simply plug your laptop or PC into ether13 and modify ipv4 settings to for example 192.158.55.2/24 and you are good to go!

Recommend using wireguard vice SSH to login into router remotely.



# serial number = ****
/interface ethernet
set [ find default-name=ether13 ] name=Off-Bridge

/interface bridge
add name=bridge vlan-filtering=no  { change to yes as the last step in configuration }

/interface vlan
add name=vlanBuilding vlan-id=5
add name=vlanHome vlan-id=10

/interface pppoe-client  { please note  the default route option changed to NO, will handle it manually in ip route }
add add-default-route=no disabled=no interface="sfp-sfpplus1 - WAN (Bezeq)" \
    name=pppoe-out1-Bezeq user=****

/interface list
add name=WAN
add name=LAN

/ip dhcp-server
add address-pool=dhcp_pool1 interface=vlanBuilding name=dhcp1
add address-pool=dhcp_pool5 interface=vlanHome  name=dhcp2

/interface bridge port
add bridge=bridge ingress-filitering=yes frame-types=admit-priority-and-untagged interface=ether2-Buidling-Switch  pvid=5
add bridge=bridge ingress-filitering=yes frame-types=admit-priority-and-untagged interface=ether3-Buidling-PC  pvid=5
add bridge=bridge ingress-filitering=yes frame-types=admit-priority-and-untagged interface=ether4-Buidling-NVR  pvid=5
add bridge=bridge ingress-filitering=yes frame-types=admit-priority-and-untagged interface="ether5 - Home"  pvid=10
add bridge=bridge ingress-filitering=yes frame-types=admit-priority-and-untagged interface="ether6 - Home"  pvid=10
add bridge=bridge ingress-filitering=yes frame-types=admit-priority-and-untagged interface="ether7 - Home"  pvid=10
add bridge=bridge ingress-filitering=yes frame-types=admit-priority-and-untagged interface="ether8 - Home"  pvid=10
add bridge=bridge ingress-filitering=yes frame-types=admit-priority-and-untagged interface="ether9 - Home"  pvid=10
add bridge=bridge ingress-filitering=yes frame-types=admit-priority-and-untagged interface="ether10 - Home"  pvid=10
add bridge=bridge ingress-filitering=yes frame-types=admit-priority-and-untagged interface="ether11 - Home"  pvid=10
add bridge=bridge ingress-filitering=yes frame-types=admit-priority-and-untagged interface="ether12 - Home" pvid=10
add bridge=bridge ingress-filitering=yes frame-types=admit-priority-and-untagged interface="sfp-sfpplus2-Home-To Switch"  pvid=10
add bridge=bridge ingress-filitering=yes frame-types=admit-priority-and-untagged interface=sfp-sfpplus3-Home pvid=10
add bridge=bridge ingress-filitering=yes frame-types=admit-priority-and-untagged interface="sfp-sfpplus4-Home-10G PC" pvid=10

/interface bridge vlan
add bridge=bridge tagged=bridge  untagged=ether2-Buidling-Switch,ether3-Buidling-PC,ether3-Buidling-NVR  vlan-id=5
add bridge=bridge tagged=bridge  untagged="ether5 - Home","ether6 - Home","ether7 - Home","ether8 - Home","ether9 - Home","ether10 - Home","ether11 - Home","ether12 - Home","sfp-sfpplus2-Home-To Switch",sfp-sfpplus3-Home,"sfp-sfpplus4-Home-10G PC"   vlan-id=10

/interface list member
add interface="ether1-WAN(Hot)"  list=WAN
add interface=pppoe-out1-Bezeq  list=WAN
add interface=vlanBuilding  list=LAN
add interface=vlanHome list=LAN
add interface=Off-Bridge list=LAN

/ip neighbor discovery-settings
set discover-interface-list=LAN

/ip address
add address=198.168.1.1/24 interface=vlanBuilding network=198.168.1.0
add address=192.168.88.1/24 interface=vlanHome network=192.168.88.0
add address=192.168.55.1/30  interface=Off-Bridge network=192.168.55.0

/ip dhcp-server network
add address=198.168.1.0/24 gateway=198.168.1.1 dns-server=192.168.1.1
add address=192.168.88.0/24 gateway=192.168.88.1 dns-server=192.168.88.1

/ip dns
set allow-remote-servers=yes  servers=1.1.1.1

/ip firewall address-list   {  set dhcp leases to static for these IPs }
add address=192.168.1.XX  list=Authorized   comment="admin device 1 on building"
add address=192.168.1.XX  list=Authorized   comment="admin device 2 on building"
add address=192.168.88.XX  list=Authorized   comment="admin device 3 in home"
add address=192.168.88.XX  list=Authorized   comment="admin device 4 in home"
add address=192.168.55.2  list=Authorized comment="Off Bridge port access"

/ip firewall filter  { do not allow access to router unless its from LAN or via VPN }
add action=accept chain=input connection-state=established,related,untracked
add action=drop chain=input connection-state=invalid
add action=accept chain=input  protocol=icmp
add action=accept chain=input comment="allow SSH" port=15235 protocol=tcp
add action=accept chain=input comment="admin access"  in-interface-list=LAN src-address-list=Authorized
add action=accept chain=input comment="users to services"  in-interface-list=LAN dst-port=53 protocol=udp
add action=accept chain=input comment="users to services"  in-interface-list=LAN dst-port=53 protocol=tcp
add action=drop chain=input comment="Drop all else"   { put this rule in last othewise you may lock yourself out aka after turning bridge vlan filtering on successfully }
++++++++++++++++
add action=fasstrack-connection chain=forward connection-state=established,related
add action=accept chain=forward connection-state=established,related,untracked
add action=drop chain=forward connection-state=invalid
add action=accept chain=forward comment="internet traffic" in-interface-list=LAN src-address=192.168.1.0/24 out-interface="ether1-WAN(Hot)"
add action=accept chain=forward comment="internet traffic" in-interface-list=LAN src-address=192.168.8.0/24 out-interface=pppoe-out1-Bezeq
add action=accept chain=forward comment="admin access" in-interface-list=LAN src-address-list=Authorized
add action=accept chain=forward comment="port forwarding" connection-nat-state=dstnat  disabled=yes  { enable if required or remove }
add action=drop chain=forward comment="drop all else"

/ip firewall nat
add action=masquerade chain=srcnat out-interface="ether1-WAN(Hot)"
add action=masquerade chain=srcnat out-interface=pppoe-out1-Bezeq

/ip route
{ main tables, for minimum to ensure router knows whats available }
add check-gateway=ping distance=2  dst-address=0.0.0.0/0 gateway=8.8.4.4 routing-table=main scope=10 target-scope=12
add distance=2  dst-address=8.8.4.4/32 gateway=ether1-gateway-IP routing-table=main scope=10 target-scope=11
add check-gateway=ping distance=4  dst-address=0.0.0.0/0 gateway=9.9.9.9 routing-table=main scope=10 target-scope=12
add distance=4  dst-address=9.9.9.9/32 gateway=pppoe-out1-Bezeq  routing-table=main scope=10 target-scope=11
+++++
{ special routes }
add dst-address=0.0.0.0/0  gateway=ether1-gatewayIP  routing-table=rtab-1
add dst-address=0.0.0.0/0  gateway=pppoe-out1-Bezeq  routing-table=rtab-2

/routing rules
add action=lookup-only-in-table main-prefix=0  table=main
add action=lookup-only-in-table src-address=192.168.1.0/24 table=rtab-1
add action=lookup-only-in-table src-address=192.168.88.0/24 table=rtab-2

/ip service   {  SSH is generally safer to use from internal LANIPs, for external access recommend wireguard }
set ssh port=non-standard port !!!
set winbox port=non-standard port !!!

/tool mac-server
set allowed-interface-list=NONE
/tool mac-server mac-winbox
set allowed-interface-list=LAN

/ip ssh
set forwarding-enabled=local host-key-size=4096 host-key-type=ed25519 strong-crypto=yes

Check out this video on how to use SSH to generate keys to make SSH a bit better if not interested in wireguard.
https://www.youtube.com/watch?v=be-pBwhjRWA&t=84s

4

Hey Anav, you’re rock!

Sorry for the late response. I was dealing with another issue on the ISP side; now that it’s solved, I’m finally back to solving the 2 network problems related to this topic.
I have been trying to apply the configuration you suggested but have had no luck. I’m in a dead end.

  1. Some of the commands you’ve posted are returning “bad command” from the WinBox terminal; perhaps it’s a version issue?
    Anyhow, I’ve tried to apply them on the GUI as much as I could do the correlation.

The things that didn’t work are:
a. any of those commands = >
/interface bridge port
add bridge=bridge ingress-filitering=yes frame-types=admit-priority-and-untagged interface=ether2-Buidling-Switch pvid=5
b. /ip dns
set allow-remote-servers=yes servers=1.1.1.1
c./routing rules
add action=lookup-only-in-table main-prefix=0 table=main
add action=lookup-only-in-table src-address=192.168.1.0/24 table=rtab-1
add action=lookup-only-in-table src-address=192.168.88.0/24 table=rtab-2

  1. After Applying the config, I lost connection with the router admin terminal; I was only able to gain it back using port “13” which is “Off Bridge”
  2. Now I don’t have internet in any network devices connected (though I’m able to pull 8.8.8.8 ping from the terminal)
  3. DHCP Servers are marked red as inactive. I don’t know why.
  4. On my PC I’m getting “undefined network” next to my ethernet network card connection.

Here is the current configuration, maybe you can help me out from this point?
Note that:
a. 192.168.1.X is now the WAN out of one of networks(It’s connected to ISP Router on my side, which I config DHCP Client to pull IP from it)
b. the 2 networks that I’d like to build are now 192.168.88.X and 192.168.77.X
c. change some names and vLAN IDs
d. I’ve removed the "drop firewall rules after I was blocked from the terminal so I thought it would help, but it didn’t work with them either. the config below is without them, but you may tell me to add them back in whatever order you think is needed.

# 2024-07-25 19:13:29 by RouterOS 7.11.3
# software id = 4LGQ-ZLD6
#
# model = CCR2116-12G-4S+
# serial number = ***
/interface bridge
add frame-types=admit-only-untagged-and-priority-tagged name=bridge pvid=1 \
    vlan-filtering=yes
/interface ethernet
set [ find default-name=ether13 ] name=Off-Bridge
set [ find default-name=ether1 ] name=ether1-Building
set [ find default-name=ether2 ] name=ether2-Buidling-Switch
set [ find default-name=ether3 ] name=ether3-Buidling-PC
set [ find default-name=ether4 ] name=ether4-Buidling-NVR
set [ find default-name=ether5 ] name=ether5-Home
set [ find default-name=ether6 ] name=ether6-Home
set [ find default-name=ether7 ] name=ether7-Home
set [ find default-name=ether8 ] name=ether8-Home
set [ find default-name=ether9 ] name=ether9-Home
set [ find default-name=ether10 ] name=ether10-Home
set [ find default-name=ether11 ] name=ether11-Home
set [ find default-name=ether12 ] name=ether12-Home
set [ find default-name=sfp-sfpplus1 ] auto-negotiation=no name=\
    sfp1-Bezeq-Wan-10G
set [ find default-name=sfp-sfpplus2 ] auto-negotiation=no name=\
    sfp2-Home-To-Switch-10G
set [ find default-name=sfp-sfpplus3 ] auto-negotiation=no name=\
    sfp3-Hot-Wan-10G
set [ find default-name=sfp-sfpplus4 ] auto-negotiation=no name=\
    sfp4-Home-PC-10G
/interface pppoe-client
add disabled=no interface=sfp1-Bezeq-Wan-10G name=pppoe-Bezeq user=\
    ****
/interface vlan
add interface=bridge name=vlanBuilding vlan-id=10
add interface=bridge name=vlanHome vlan-id=5
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool4 ranges=192.168.88.11-192.168.88.254
add name=dhcp_pool5 ranges=192.168.77.11-192.168.77.254
/ip dhcp-server
add address-pool=dhcp_pool4 interface=bridge name=dhcp1 relay=192.168.88.1
add address-pool=dhcp_pool5 interface=bridge name=dhcp2 relay=192.168.77.1
/port
set 0 name=serial0
/routing table
add disabled=no fib name=rtab-1
add disabled=no fib name=rtab-2
/interface bridge port
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=sfp4-Home-PC-10G pvid=5
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether5-Home pvid=5
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether6-Home pvid=5
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether7-Home pvid=5
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether8-Home pvid=5
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether9-Home pvid=5
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether10-Home pvid=5
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether11-Home pvid=5
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether12-Home pvid=5
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=sfp2-Home-To-Switch-10G pvid=5
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether3-Buidling-PC pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether2-Buidling-Switch pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether4-Buidling-NVR pvid=10
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge tagged=bridge untagged=\
    ether2-Buidling-Switch,ether3-Buidling-PC,ether4-Buidling-NVR vlan-ids=10
add bridge=bridge tagged=bridge untagged="ether5-Home,ether6-Home,ether7-Home,\
    ether9-Home,ether10-Home,ether11-Home,ether12-Home,sfp2-Home-To-Switch-10G\
    ,sfp4-Home-PC-10G" vlan-ids=5
/interface detect-internet
set detect-interface-list=all internet-interface-list=all lan-interface-list=\
    all wan-interface-list=all
/interface list member
add interface=pppoe-Bezeq list=WAN
add interface=sfp3-Hot-Wan-10G list=WAN
add interface=vlanHome list=LAN
add interface=vlanBuilding list=LAN
add interface=Off-Bridge list=LAN
/ip address
add address=198.168.77.1/24 interface=vlanBuilding network=198.168.77.0
add address=192.168.88.1/24 interface=vlanHome network=192.168.88.0
add address=192.168.55.1/30 interface=Off-Bridge network=192.168.55.0
/ip dhcp-server network
add address=192.168.77.0/24 dns-server=192.168.77.1 gateway=192.168.77.1
add address=192.168.88.0/24 dns-server=192.168.88.1 gateway=192.168.88.1
/ip dns
set servers=8.8.8.8
/ip firewall filter
add action=fasttrack-connection chain=forward hw-offload=yes
add action=accept chain=input connection-state=established,related,untracked
add action=accept chain=input protocol=icmp
add action=accept chain=input comment="allow SSH" port=15235 protocol=tcp
add action=accept chain=input comment="admin access" in-interface-list=LAN \
    src-address-list=Authorized
add action=accept chain=input comment="users to services" dst-port=53 \
    in-interface-list=LAN protocol=udp
add action=accept chain=input comment="users to services" dst-port=53 \
    in-interface-list=LAN protocol=tcp
add action=accept chain=forward connection-state=\
    established,related,untracked
add action=accept chain=forward comment="internet traffic" in-interface-list=\
    LAN out-interface=sfp3-Hot-Wan-10G src-address=192.168.77.0/24
add action=accept chain=forward comment="internet traffic" in-interface-list=\
    LAN out-interface=pppoe-Bezeq src-address=192.168.88.0/24
add action=accept chain=forward comment="admin access" in-interface-list=LAN \
    src-address-list=Authorized
/ip firewall nat
add action=masquerade chain=srcnat out-interface=sfp3-Hot-Wan-10G
add action=masquerade chain=srcnat out-interface=pppoe-Bezeq
/ip route
add check-gateway=ping distance=2 dst-address=0.0.0.0/0 gateway=9.9.9.9 \
    routing-table=main scope=10 target-scope=12
add distance=2 dst-address=9.9.9.9/32 gateway=pppoe-Bezeq routing-table=main \
    scope=10 target-scope=11
add check-gateway=ping distance=4 dst-address=0.0.0.0/0 gateway=8.8.4.4 \
    routing-table=main scope=10 target-scope=12
add disabled=no distance=4 dst-address=8.8.4.4/32 gateway=192.168.1.10 \
    pref-src="" routing-table=main scope=10 suppress-hw-offload=no \
    target-scope=11
add dst-address=0.0.0.0/0 gateway=pppoe-Bezeq routing-table=rtab-2
/ip ssh
set forwarding-enabled=local host-key-size=4096 host-key-type=ed25519 \
    strong-crypto=yes
/routing rule
add action=lookup-only-in-table disabled=no min-prefix=0 table=main
add action=lookup disabled=no src-address=192.168.88.0/24 table=rtab-1
add action=lookup disabled=no src-address=192.168.77.0/24 table=rtab-2
/system clock
set time-zone-name=***
/system note
set show-at-login=no
/system routerboard settings
set enter-setup-on=delete-key
/tool mac-server mac-winbox
set allowed-interface-list=LAN
5

Changes to the current config:
You slay me with some stuff you added that I didnt recommend LOL.

For example I gave you this:
/interface bridge
add name=bridge vlan-filtering=no { change to yes as the last step in configuration }

and you config this...........
add frame-types=admit-only-untagged-and-priority-tagged name=bridge pvid=1
vlan-filtering=yes ( assuming the No went to Yes at the end )

Another example, adding Relay to ip dhpc-server settings, a non-standard entry out of the blue ?????
?????????????????????????????????????????????????????????????????

Changes to the current config: Yes, suggest make all changed FROM off bridge access!!!
You never configured a firewall address list called AUTHORIZED and thus if you actually enable and put in the last rule in the input chain, block all else you WILL lock yourself out.
......

model = CCR2116-12G-4S+

/interface bridge
add name=bridge vlan-filtering=off { turn on at end of config process }

/ip pool
add name=dhcp_pool4 ranges=192.168.88.11-192.168.88.254
add name=dhcp_pool5 ranges=192.168.77.11-192.168.77.254

/ip dhcp-server { no need to relay, unless you can explain why! }
add address-pool=dhcp_pool4 interface=bridge name=dhcp1
add address-pool=dhcp_pool5 interface=bridge name=dhcp2

/interface bridge port { I put the ports in order }
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged
interface=ether1-Buidling pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged
interface=ether2-Buidling-Switch pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged
interface=ether3-Buidling-PC pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged
interface=ether4-Buidling-NVR pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged
interface=ether5-Home pvid=5
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged
interface=ether6-Home pvid=5
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged
interface=ether7-Home pvid=5
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged
interface=ether8-Home pvid=5
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged
interface=ether9-Home pvid=5
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged
interface=ether10-Home pvid=5
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged
interface=ether11-Home pvid=5
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged
interface=ether12-Home pvid=5
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged
interface=sfp2-Home-To-Switch-10G pvid=5
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged
interface=sfp4-Home-PC-10G pvid=5

/interface bridge vlan { was missing ether1,ether8 in my previous config }
add bridge=bridge tagged=bridge untagged=
ether1,ether2-Buidling-Switch,ether3-Buidling-PC,ether4-Buidling-NVR vlan-ids=10
add bridge=bridge tagged=bridge untagged="ether5-Home,ether6-Home,ether7-Home,
**ether8-Home,**ether9-Home,ether10-Home,ether11-Home,ether12-Home,sfp2-Home-To-Switch-10G
,sfp4-Home-PC-10G" vlan-ids=5

/interface detect-internet
set detect-interface-list=NONE internet-interface-list=NONE lan-interface-list=LAN all wan-interface-list=NONE

/interface list member
add interface=pppoe-Bezeq list=WAN comment="using port sfp1"
add interface=sfp3-Hot-Wan-10G list=WAN
add interface=vlanHome list=LAN
add interface=vlanBuilding list=LAN
add interface=Off-Bridge list=LAN

_/ip address
add address=198.168.77.1/24 interface=vlanBuilding network=198.168.77.0
add address=192.168.88.1/24 interface=vlanHome network=192.168.88.0
add address=192.168.55.1/30 interface=Off-Bridge network=192.16_8.55.0

/ip dhcp-server network
add address=192.168.77.0/24 dns-server=192.168.77.1 gateway=192.168.77.1
add address=192.168.88.0/24 dns-server=192.168.88.1 gateway=192.168.88.1

/ip dns
set allow-remote-requests=yes servers=1.1.1.2,8.8.8.8

/ip firewall address-list { set dhcp leases to static for these IPs }
add address=192.168.77.XX list=Authorized comment="admin device 1 on building"
add address=192.168.77.XX list=Authorized comment="admin device 2 on building"
add address=192.168.88.XX list=Authorized comment="admin device 3 in home"
add address=192.168.88.XX list=Authorized comment="admin device 4 in home"
add address=192.168.55.2 list=Authorized comment="Off Bridge port access"

/ip firewall filter { Keep chains together! }
add action=accept chain=input connection-state=established,related,untracked
add action=drop chain=input connection-state=invalid
add action=accept chain=input protocol=icmp
add action=accept chain=input comment="allow SSH" port=15235 protocol=tcp
add action=accept chain=input comment="admin access" in-interface-list=LAN
src-address-list=Authorized
add action=accept chain=input comment="users to services" dst-port=53
in-interface-list=LAN protocol=udp
add action=accept chain=input comment="users to services" dst-port=53
in-interface-list=LAN protocol=tcp
add action=drop chain=input comment="Drop all else" disabled =yes { Enable when firewall address Authorized list is created !!}
++++++++++++++
add action=fasttrack-connection chain=forward hw-offload=yes
add action=accept chain=forward connection-state=
established,related,untracked
add action=accept chain=forward comment="internet traffic" in-interface-list=
LAN out-interface=sfp3-Hot-Wan-10G src-address=192.168.77.0/24
add action=accept chain=forward comment="internet traffic" in-interface-list=
LAN out-interface=pppoe-Bezeq src-address=192.168.88.0/24
add action=accept chain=forward comment="admin access" in-interface-list=LAN
src-address-list=Authorized
add action=drop chain=forward comment="drop all else"

/ip route
{ main table routes }
add check-gateway=ping distance=2 dst-address=0.0.0.0/0 gateway=9.9.9.9
routing-table=main scope=10 target-scope=12
add distance=2 dst-address=9.9.9.9/32 gateway=pppoe-Bezeq routing-table=main
scope=10 target-scope=11
add check-gateway=ping distance=4 dst-address=0.0.0.0/0 gateway=8.8.4.4
routing-table=main scope=10 target-scope=12
add distance=4 dst-address=8.8.4.4/32 gateway=sfp3-gateway-IP
routing-table=main scope=10 target-scope=11
++++++++++++++++++++++++
{ special table routes }
add dst-address=0.0.0.0/0 gateway=pppoe-Bezeq routing-table=rtab-1
add dst-address=0.0.0.0/0 gateway=sfp3-gateway-IP routing-table=rtab-2

/routing rule
add action=lookup-only-in-table disabled=no min-prefix=0 table=main
add action=lookup disabled=no src-address=192.168.88.0/24 table=rtab-1
add action=lookup disabled=no src-address=192.168.77.0/24 table=rtab-2

6

Thx again for the help; I’m a newbie so sorry for those fatal mistakes.
The reason I put “Relay” in the DHCP Server is due to “failure: server or relay with such interface already exists”
I’m getting on the terminal when I apply the 2nd DHCP without Relay. See the print screen attached.
any idea why?
Screenshot 2024-07-26 012413.png
Screenshot 2024-07-26 010153.png

7

So, putting aside that I was not able to create the 2nd DHCP Server
Here is the current configuration after your changes.
Note:

  1. I change this to “yes” only in the end “vlan-filtering=yes
  2. I change this to “no” only in the end “add action=drop chain=input comment=“Drop all else” disabled =no

Still, the 1st DHCP is red (inactive), no access terminal with PC on IP 192.168.77.5, and also PC network card on 192.168.77.5 shows “unidentified network”

Config below is with “vlan-filtering=no” and " “add action=drop chain=input comment=“Drop all else” disabled =yes
But I changed after, and it’s still the same.

# 2024-07-26 01:47:23 by RouterOS 7.11.3
# software id = 4LGQ-ZLD6
#
# model = CCR2116-12G-4S+
# serial number = ****
/interface bridge
add name=bridge
/interface ethernet
set [ find default-name=ether13 ] name=Off-Bridge
set [ find default-name=ether1 ] name=ether1-Building
set [ find default-name=ether2 ] name=ether2-Buidling-Switch
set [ find default-name=ether3 ] name=ether3-Buidling-PC
set [ find default-name=ether4 ] name=ether4-Buidling-NVR
set [ find default-name=ether5 ] name=ether5-Home
set [ find default-name=ether6 ] name=ether6-Home
set [ find default-name=ether7 ] name=ether7-Home
set [ find default-name=ether8 ] name=ether8-Home
set [ find default-name=ether9 ] name=ether9-Home
set [ find default-name=ether10 ] name=ether10-Home
set [ find default-name=ether11 ] name=ether11-Home
set [ find default-name=ether12 ] name=ether12-Home
set [ find default-name=sfp-sfpplus1 ] auto-negotiation=no name=\
    sfp1-Bezeq-Wan-10G
set [ find default-name=sfp-sfpplus2 ] auto-negotiation=no name=\
    sfp2-Home-To-Switch-10G
set [ find default-name=sfp-sfpplus3 ] auto-negotiation=no name=\
    sfp3-Hot-Wan-10G
set [ find default-name=sfp-sfpplus4 ] auto-negotiation=no name=\
    sfp4-Home-PC-10G
/interface pppoe-client
add disabled=no interface=sfp1-Bezeq-Wan-10G name=pppoe-Bezeq user=\
    ****
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool4 ranges=192.168.88.11-192.168.88.254
add name=dhcp_pool5 ranges=192.168.77.11-192.168.77.254
/ip dhcp-server
add address-pool=dhcp_pool4 interface=bridge name=dhcp1
/port
set 0 name=serial0
/routing table
add disabled=no fib name=rtab-1
add disabled=no fib name=rtab-2
/interface vlan
add interface=bridge name=vlanBuilding vlan-id=10
add interface=bridge name=vlanHome vlan-id=5
/interface bridge port
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether1-Building pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether2-Buidling-Switch pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether3-Buidling-PC pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether4-Buidling-NVR pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether5-Home pvid=5
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether6-Home pvid=5
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether7-Home pvid=5
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether8-Home pvid=5
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether9-Home pvid=5
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether10-Home pvid=5
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether11-Home pvid=5
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether12-Home pvid=5
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=sfp2-Home-To-Switch-10G pvid=5
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=sfp4-Home-PC-10G pvid=5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge tagged=Off-Bridge untagged=\
    ether1-Building,ether2-Buidling-Switch,ether3-Buidling-PC,ether5-Home \
    vlan-ids=10
add bridge=bridge tagged=Off-Bridge untagged="ether5-Home,ether6-Home,ether7-H\
    ome,ether8-Home,ether9-Home,ether10-Home,ether11-Home,ether12-Home,sfp2-Ho\
    me-To-Switch-10G,sfp4-Home-PC-10G" vlan-ids=5
/interface detect-internet
set lan-interface-list=all
/interface list member
add comment="using port sfp1" interface=pppoe-Bezeq list=WAN
add interface=sfp3-Hot-Wan-10G list=WAN
add interface=vlanHome list=LAN
add interface=vlanBuilding list=LAN
add interface=Off-Bridge list=LAN
/ip address
add address=198.168.77.1/24 interface=vlanBuilding network=198.168.77.0
add address=192.168.88.1/24 interface=vlanHome network=192.168.88.0
add address=192.168.55.1/30 interface=Off-Bridge network=192.168.55.0
/ip dhcp-client
add add-default-route=no interface=sfp3-Hot-Wan-10G
/ip dhcp-server network
add address=192.168.77.0/24 dns-server=192.168.77.1 gateway=192.168.77.1
add address=192.168.88.0/24 dns-server=192.168.88.1 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.2,8.8.8.8
/ip firewall address-list
add address=192.168.77.5 comment="admin device 1 on building" list=Authorized
add address=192.168.88.5 comment="admin device 2 in home" list=Authorized
add address=192.168.55.2 comment="Off Bridge port access" list=Authorized
/ip firewall filter
add action=accept chain=input connection-state=established,related,untracked
add action=drop chain=input connection-state=invalid
add action=accept chain=input protocol=icmp
add action=accept chain=input comment="allow SSH" port=15235 protocol=tcp
add action=accept chain=input comment="admin access" in-interface-list=LAN \
    src-address-list=Authorized
add action=accept chain=input comment="users to services" dst-port=53 \
    in-interface-list=LAN protocol=udp
add action=accept chain=input comment="users to services" dst-port=53 \
    in-interface-list=LAN protocol=tcp
add action=drop chain=input comment="Drop all else" disabled=yes
add action=fasttrack-connection chain=forward hw-offload=yes
add action=accept chain=forward connection-state=\
    established,related,untracked
add action=accept chain=forward comment="internet traffic" in-interface-list=\
    LAN out-interface=sfp3-Hot-Wan-10G src-address=192.168.77.0/24
add action=accept chain=forward comment="internet traffic" in-interface-list=\
    LAN out-interface=pppoe-Bezeq src-address=192.168.88.0/24
add action=accept chain=forward comment="admin access" in-interface-list=LAN \
    src-address-list=Authorized
add action=drop chain=forward comment="drop all else"
/ip firewall nat
add action=masquerade chain=srcnat out-interface=sfp3-Hot-Wan-10G
add action=masquerade chain=srcnat out-interface=pppoe-Bezeq
/ip route
add check-gateway=ping distance=2 dst-address=0.0.0.0/0 gateway=9.9.9.9 \
    routing-table=main scope=10 target-scope=12
add check-gateway=ping distance=4 dst-address=0.0.0.0/0 gateway=8.8.4.4 \
    routing-table=main scope=10 target-scope=12
add distance=2 dst-address=9.9.9.9/32 gateway=pppoe-Bezeq routing-table=main \
    scope=10 target-scope=11
add distance=4 dst-address=8.8.4.4/32 gateway=192.168.1.10 routing-table=main \
    scope=10 target-scope=11
/ip ssh
set forwarding-enabled=local host-key-size=4096 host-key-type=ed25519 \
    strong-crypto=yes
/routing rule
add action=lookup-only-in-table disabled=no min-prefix=0 table=main
add action=lookup disabled=no src-address=192.168.88.0/24 table=rtab-1
add action=lookup disabled=no src-address=192.168.77.0/24 table=rtab-2
/system clock
set time-zone-name=****
/system note
set show-at-login=no
/system routerboard settings
set enter-setup-on=delete-key
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Screenshot 2024-07-26 015229.png

8

Ahh okay, the bridge is not the interface, I should have noticed that…,

Wrong:
/ip dhcp-server { no need to relay, unless you can explain why! }
add address-pool=dhcp_pool4 interface=bridge name=dhcp1
add address-pool=dhcp_pool5 interface=bridge name=dhcp2

Correct:
/ip dhcp-server { no need to relay, unless you can explain why! }
add address-pool=dhcp_pool4 interface=vlanHome=dhcp1
add address-pool=dhcp_pool5 interface=vlanBuilding name=dhcp2

All should be smooth sailing after those changes…

9

Changed, DHCP is not red anymore; however, it is still an “unidentified network” on PC connected to ether3 and set to get Dynamic IP or set to 192.168.77.5
also no internet from PC. (ping work on router terminal)
also, DHCP don’t show any “leases” (and there should be many)
also look at the “0” transfer rates over the interfaces; something is wrong, maybe on the firewall or the routing.
Screenshot 2024-07-26 030107.png

10

Dont see anything obvious.
This rule needs to be modified
add action=fasttrack-connection chain=forward hw-offload=yes

TO:
add action=fasttrack-connection chain=forward connection-state=established,related

Try rebooting the router.

11

I’ve tried to reboot and still nothing. tries to disable all firewall rules and still nothing.