2x CRS328 with shared VLANs

sxbcl · March 13, 2020, 2:53pm

Hello,

I am trying the last couple of days to find a solution to a problem I have.
Currently we have installed two CRS328 which are connected together. These are installed in two houses.
I have configured various VLANs. Most of them are personal for each house, but we also have at least a couple shared.

By the way, I have changed something and the first VLAN is not 1 but 100.

The problem is that intervlan routing is working partially. The clients from VLAN 20 can access VLAN 100 and vice versa, but the clients from VLAN 10 not.
I am not sure what I am missing in the config.

Here is the config of 10.1.1.253:

/caps-man channel
add band=2ghz-b/g/n control-channel-width=20mhz extension-channel=disabled frequency=2412 name=ch_01_2400_20_bgn
add band=2ghz-b/g/n control-channel-width=20mhz extension-channel=disabled frequency=2417 name=ch_02_2400_20_bgn
add band=2ghz-b/g/n control-channel-width=20mhz extension-channel=disabled frequency=2422 name=ch_03_2400_20_bgn
add band=2ghz-b/g/n control-channel-width=20mhz extension-channel=disabled frequency=2427 name=ch_04_2400_20_bgn
add band=2ghz-b/g/n control-channel-width=20mhz extension-channel=disabled frequency=2432 name=ch_05_2400_20_bgn
add band=2ghz-b/g/n control-channel-width=20mhz extension-channel=disabled frequency=2437 name=ch_06_2400_20_bgn
add band=2ghz-b/g/n control-channel-width=20mhz extension-channel=disabled frequency=2442 name=ch_07_2400_20_bgn
add band=2ghz-b/g/n control-channel-width=20mhz extension-channel=disabled frequency=2447 name=ch_08_2400_20_bgn
add band=2ghz-b/g/n control-channel-width=20mhz extension-channel=disabled frequency=2452 name=ch_09_2400_20_bgn
add band=2ghz-b/g/n control-channel-width=20mhz extension-channel=disabled frequency=2457 name=ch_10_2400_20_bgn
add band=2ghz-b/g/n control-channel-width=20mhz extension-channel=disabled frequency=2462 name=ch_11_2400_20_bgn
add band=2ghz-b/g/n control-channel-width=20mhz extension-channel=disabled frequency=2467 name=ch_12_2400_20_bgn
add band=2ghz-b/g/n control-channel-width=20mhz extension-channel=disabled frequency=2472 name=ch_13_2400_20_bgn
/interface bridge
add admin-mac=B8:69:F4:E5:1E:AC auto-mac=no comment=defconf name=bridge vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment="*** Sony TV ***"
set [ find default-name=ether2 ] comment="*** COMpact 5500R ***"
set [ find default-name=ether3 ] comment="*** COMfortel WS-400 ***"
set [ find default-name=ether4 ] comment="*** COMfortel 3600IP ***"
set [ find default-name=ether9 ] comment="*** AP basement ***"
set [ find default-name=ether10 ] comment="*** AP ground floor ***"
set [ find default-name=ether11 ] comment="*** AP 1st floor ***"
set [ find default-name=ether22 ] comment="*** Link ***"
set [ find default-name=ether23 ] comment="*** Nova ***"
set [ find default-name=ether24 ] comment="*** Modem ***"
set [ find default-name=sfp-sfpplus1 ] auto-negotiation=no speed=10Gbps
set [ find default-name=sfp-sfpplus2 ] disabled=yes
set [ find default-name=sfp-sfpplus3 ] disabled=yes
set [ find default-name=sfp-sfpplus4 ] disabled=yes
/interface pppoe-client
add allow=pap,chap disabled=no interface=ether24 keepalive-timeout=900 max-mru=1492 max-mtu=1492 name=pppoe-Philip password=***** user=************
/interface vlan
add comment=Native interface=bridge mtu=1492 name="VLAN 1 - Native" vlan-id=1
add comment=Philip interface=bridge mtu=1492 name="VLAN 10 - Philip" vlan-id=10
add comment=Costas interface=bridge mtu=1492 name="VLAN 20 - Costas" vlan-id=20
add comment=Security interface=bridge mtu=1492 name="VLAN 99 - Security" vlan-id=99
add comment="Common " interface=bridge name="VLAN 100 - Common" vlan-id=100
add comment="Philip guest " interface=bridge mtu=1492 name="VLAN 110 - PL Guest" vlan-id=110
add comment="Costas guest " interface=bridge mtu=1492 name="VLAN 120 - CL Guest" vlan-id=120
add comment=PL_Shelly interface=bridge mtu=1492 name="VLAN 210 - PL_Shelly" vlan-id=210
add comment=CL_Shelly interface=bridge mtu=1492 name="VLAN 220 - CL_Shelly" vlan-id=220
/caps-man datapath
add bridge=bridge client-to-client-forwarding=yes name=datapath1
/caps-man security
add authentication-types=wpa-psk,wpa2-psk encryption=aes-ccm name=Costas_sec passphrase=*****
add authentication-types=wpa-psk,wpa2-psk encryption=aes-ccm name=Philip_sec passphrase=*****
add authentication-types=wpa-psk,wpa2-psk encryption=aes-ccm name=CL_guest_sec passphrase=*****
add authentication-types=wpa-psk,wpa2-psk encryption=aes-ccm name=PL_guest_sec passphrase=*****
add authentication-types=wpa-psk,wpa2-psk encryption=aes-ccm name=CLShelly passphrase=*****
add authentication-types=wpa-psk,wpa2-psk encryption=aes-ccm name=PLShelly passphrase=******
/caps-man configuration
add country=greece datapath=datapath1 datapath.local-forwarding=yes datapath.vlan-id=20 datapath.vlan-mode=use-tag distance=indoors guard-interval=long hw-protection-mode=cts-to-self hw-retries=4 installation=indoor mode=ap name=CL rx-chains=0,1 security=Costas_sec \
    ssid=LCHome tx-chains=0,1
add country=greece datapath=datapath1 datapath.local-forwarding=yes datapath.vlan-id=10 datapath.vlan-mode=use-tag distance=indoors guard-interval=long hw-protection-mode=cts-to-self hw-retries=4 installation=indoor mode=ap name=PL rx-chains=0,1 security=Philip_sec \
    ssid="Philip Home" tx-chains=0,1
add country=greece datapath=datapath1 datapath.local-forwarding=yes datapath.vlan-id=110 datapath.vlan-mode=use-tag distance=indoors guard-interval=long hw-protection-mode=cts-to-self hw-retries=4 installation=indoor mode=ap name=PL_guest rx-chains=0,1 security=\
    PL_guest_sec ssid="Philip Guest" tx-chains=0,1
add country=greece datapath=datapath1 datapath.local-forwarding=yes datapath.vlan-id=120 datapath.vlan-mode=use-tag distance=indoors guard-interval=long hw-protection-mode=cts-to-self hw-retries=4 installation=indoor mode=ap name=CL_guest rx-chains=0,1 security=\
    CL_guest_sec ssid="Costas Guest" tx-chains=0,1
add country=greece datapath=datapath1 datapath.local-forwarding=yes datapath.vlan-id=220 datapath.vlan-mode=use-tag distance=indoors guard-interval=long hide-ssid=yes hw-protection-mode=cts-to-self hw-retries=4 installation=indoor mode=ap name="CL Shelly" rx-chains=\
    0,1 security=CLShelly ssid=CLShelly tx-chains=0,1
add country=greece datapath=datapath1 datapath.local-forwarding=yes datapath.vlan-id=210 datapath.vlan-mode=use-tag distance=indoors guard-interval=long hide-ssid=yes hw-protection-mode=cts-to-self hw-retries=4 installation=indoor mode=ap name="PL Shelly" rx-chains=\
    0,1 security=PLShelly ssid=PLShelly tx-chains=0,1
/caps-man interface
add configuration=CL disabled=no l2mtu=1600 mac-address=CC:2D:E0:7B:C5:EB master-interface=none name="LP 1st floor-1" radio-mac=CC:2D:E0:7B:C5:EB radio-name=CC2DE07BC5EB
add configuration=PL disabled=no l2mtu=1600 mac-address=CE:2D:E0:7B:C5:EB master-interface="LP 1st floor-1" name="LP 1st floor-1-1" radio-mac=00:00:00:00:00:00 radio-name=CE2DE07BC5EB
add configuration=CL_guest disabled=no l2mtu=1600 mac-address=CE:2D:E0:7B:C5:EC master-interface="LP 1st floor-1" name="LP 1st floor-1-2" radio-mac=00:00:00:00:00:00 radio-name=CE2DE07BC5EC
add configuration=PL_guest disabled=no l2mtu=1600 mac-address=CE:2D:E0:7B:C5:ED master-interface="LP 1st floor-1" name="LP 1st floor-1-3" radio-mac=00:00:00:00:00:00 radio-name=CE2DE07BC5ED
add configuration="CL Shelly" disabled=no l2mtu=1600 mac-address=CE:2D:E0:7B:C5:EE master-interface="LP 1st floor-1" name="LP 1st floor-1-4" radio-mac=00:00:00:00:00:00 radio-name=CE2DE07BC5EE
add configuration="PL Shelly" disabled=no l2mtu=1600 mac-address=CE:2D:E0:7B:C5:EF master-interface="LP 1st floor-1" name="LP 1st floor-1-5" radio-mac=00:00:00:00:00:00 radio-name=CE2DE07BC5EF
add configuration=CL disabled=no l2mtu=1600 mac-address=CC:2D:E0:96:95:DB master-interface=none name="LP basement-1" radio-mac=CC:2D:E0:96:95:DB radio-name=CC2DE09695DB
add configuration=PL disabled=no l2mtu=1600 mac-address=CE:2D:E0:96:95:DB master-interface="LP basement-1" name="LP basement-1-1" radio-mac=00:00:00:00:00:00 radio-name=CE2DE09695DB
add configuration=CL_guest disabled=no l2mtu=1600 mac-address=CE:2D:E0:96:95:DC master-interface="LP basement-1" name="LP basement-1-2" radio-mac=00:00:00:00:00:00 radio-name=CE2DE09695DC
add configuration=PL_guest disabled=no l2mtu=1600 mac-address=CE:2D:E0:96:95:DD master-interface="LP basement-1" name="LP basement-1-3" radio-mac=00:00:00:00:00:00 radio-name=CE2DE09695DD
add configuration="CL Shelly" disabled=no l2mtu=1600 mac-address=CE:2D:E0:96:95:DE master-interface="LP basement-1" name="LP basement-1-4" radio-mac=00:00:00:00:00:00 radio-name=CE2DE09695DE
add configuration="PL Shelly" disabled=no l2mtu=1600 mac-address=CE:2D:E0:96:95:DF master-interface="LP basement-1" name="LP basement-1-5" radio-mac=00:00:00:00:00:00 radio-name=CE2DE09695DF
add configuration=CL disabled=no l2mtu=1600 mac-address=CC:2D:E0:96:92:F5 master-interface=none name="LP ground floor-1" radio-mac=CC:2D:E0:96:92:F5 radio-name=CC2DE09692F5
add configuration=PL disabled=no l2mtu=1600 mac-address=CE:2D:E0:96:92:F5 master-interface="LP ground floor-1" name="LP ground floor-1-1" radio-mac=00:00:00:00:00:00 radio-name=CE2DE09692F5
add configuration=CL_guest disabled=no l2mtu=1600 mac-address=CE:2D:E0:96:92:F6 master-interface="LP ground floor-1" name="LP ground floor-1-2" radio-mac=00:00:00:00:00:00 radio-name=CE2DE09692F6
add configuration=PL_guest disabled=no l2mtu=1600 mac-address=CE:2D:E0:96:92:F7 master-interface="LP ground floor-1" name="LP ground floor-1-3" radio-mac=00:00:00:00:00:00 radio-name=CE2DE09692F7
add configuration="CL Shelly" disabled=no l2mtu=1600 mac-address=CE:2D:E0:96:92:F8 master-interface="LP ground floor-1" name="LP ground floor-1-4" radio-mac=00:00:00:00:00:00 radio-name=CE2DE09692F8
add configuration="PL Shelly" disabled=no l2mtu=1600 mac-address=CE:2D:E0:96:92:F9 master-interface="LP ground floor-1" name="LP ground floor-1-5" radio-mac=00:00:00:00:00:00 radio-name=CE2DE09692F9
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=GW10
add name=GW20
add name=GW110
add name=GW120
add name=GW99
add name=GW210
add name=GW220
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=Philip ranges=10.1.10.50-10.1.10.149
add name="PL Guest" ranges=10.1.110.50-10.1.110.149
add name="PL Shelly" ranges=10.1.210.50-10.1.210.149
add name=Common ranges=10.1.1.50-10.1.1.99
add name=Native ranges=10.1.100.50-10.1.100.99
/ip dhcp-server
add address-pool=Philip disabled=no interface="VLAN 10 - Philip" lease-time=1d name="Philip DHCP"
add address-pool="PL Guest" disabled=no interface="VLAN 110 - PL Guest" lease-time=30m name="PL Guest DHCP"
add address-pool="PL Shelly" disabled=no interface="VLAN 210 - PL_Shelly" lease-time=1d name="PL Shelly DHCP"
add address-pool=Native disabled=no interface="VLAN 1 - Native" lease-time=1d name="Native DHCP"
add address-pool=Common disabled=no interface="VLAN 100 - Common" lease-time=1d name="Common DHCP"
/ppp profile
add bridge=bridge dns-server=10.1.1.254 local-address=10.1.1.254 name=OVPNprofile remote-address=Common
/caps-man manager
set ca-certificate=CAPsMAN-CA-B869F4E51EAC certificate=CAPsMAN-B869F4E51EAC enabled=yes
/caps-man manager interface
add disabled=no interface=bridge
/caps-man provisioning
add action=create-enabled hw-supported-modes=gn,b master-configuration=CL name-format=identity slave-configurations="PL,CL_guest,PL_guest,CL Shelly,PL Shelly"
/interface bridge port
add bridge=bridge comment=VLAN10 frame-types=admit-only-untagged-and-priority-tagged interface=ether1 pvid=10
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=ether2 pvid=100
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=ether3 pvid=100
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=ether4 pvid=100
add bridge=bridge comment=VLAN10 frame-types=admit-only-untagged-and-priority-tagged interface=ether5 pvid=10
add bridge=bridge comment=VLAN10 frame-types=admit-only-untagged-and-priority-tagged interface=ether6 pvid=10
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=ether7
add bridge=bridge comment=VLAN10 frame-types=admit-only-untagged-and-priority-tagged interface=ether8 pvid=10
add bridge=bridge comment=defconf interface=ether9 pvid=100
add bridge=bridge comment=defconf interface=ether10 pvid=100
add bridge=bridge comment=defconf interface=ether11 pvid=100
add bridge=bridge comment=defconf interface=ether12
add bridge=bridge comment=defconf interface=ether13
add bridge=bridge comment=defconf interface=ether14
add bridge=bridge comment=defconf interface=ether15
add bridge=bridge comment=defconf interface=ether16
add bridge=bridge comment=defconf interface=ether17
add bridge=bridge comment=defconf interface=ether18
add bridge=bridge comment=defconf interface=ether19
add bridge=bridge comment=defconf interface=ether20
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=ether21
add bridge=bridge comment=defconf interface=ether22
add bridge=bridge comment=defconf interface=ether23 pvid=100
add bridge=bridge comment=defconf interface=sfp-sfpplus1
add bridge=bridge comment=defconf interface=sfp-sfpplus2
add bridge=bridge comment=defconf interface=sfp-sfpplus3
add bridge=bridge comment=defconf interface=sfp-sfpplus4
add bridge=bridge frame-types=admit-only-vlan-tagged interface="VLAN 1 - Native"
add bridge=bridge frame-types=admit-only-vlan-tagged interface="VLAN 10 - Philip" pvid=10
add bridge=bridge frame-types=admit-only-vlan-tagged interface="VLAN 20 - Costas" pvid=20
add bridge=bridge frame-types=admit-only-vlan-tagged interface="VLAN 99 - Security" pvid=99
add bridge=bridge frame-types=admit-only-vlan-tagged interface="VLAN 110 - PL Guest" pvid=110
add bridge=bridge frame-types=admit-only-vlan-tagged interface="VLAN 120 - CL Guest" pvid=120
add bridge=bridge frame-types=admit-only-vlan-tagged interface="VLAN 210 - PL_Shelly" pvid=210
add bridge=bridge frame-types=admit-only-vlan-tagged interface="VLAN 220 - CL_Shelly" pvid=220
add bridge=bridge frame-types=admit-only-vlan-tagged interface="VLAN 100 - Common" pvid=100
/ip settings
set allow-fast-path=no
/interface bridge vlan
add bridge=bridge tagged="ether22,bridge,ether9,ether10,ether11,VLAN 10 - Philip" vlan-ids=10
add bridge=bridge tagged="ether9,bridge,ether11,ether10,ether22,VLAN 20 - Costas" vlan-ids=20
add bridge=bridge tagged="bridge,VLAN 1 - Native" vlan-ids=1
add bridge=bridge tagged="ether22,bridge,ether9,ether10,ether11,VLAN 110 - PL Guest" vlan-ids=110
add bridge=bridge tagged="ether22,bridge,ether9,ether10,ether11,VLAN 120 - CL Guest" vlan-ids=120
add bridge=bridge tagged="ether22,bridge,ether9,ether10,ether11,VLAN 210 - PL_Shelly" vlan-ids=210
add bridge=bridge tagged="ether22,bridge,ether9,ether10,ether11,VLAN 220 - CL_Shelly" vlan-ids=220
add bridge=bridge tagged="ether22,bridge,VLAN 99 - Security" vlan-ids=99
add bridge=bridge tagged="bridge,ether22,VLAN 100 - Common" vlan-ids=100
/interface list member
add interface=ether24 list=WAN
add interface=bridge list=LAN
add interface=pppoe-Philip list=WAN
add interface=pppoe-Philip list=GW110
add interface=pppoe-Philip list=GW210
/interface ovpn-server server
set auth=sha1 certificate=cert_export_ca.crt_0.crt_0 cipher=aes256 default-profile=OVPNprofile enabled=yes port=1443
/ip address
add address=10.1.1.253/24 comment=Common interface="VLAN 100 - Common" network=10.1.1.0
add address=10.1.10.1/24 comment="Philip Gateway" interface="VLAN 10 - Philip" network=10.1.10.0
add address=10.1.110.1/24 comment="PL Guest Gateway" interface="VLAN 110 - PL Guest" network=10.1.110.0
add address=10.1.210.1/24 comment="PL Shelly Gateway" interface="VLAN 210 - PL_Shelly" network=10.1.210.0
add address=10.1.252.1/30 interface=ether24 network=10.1.252.0
add address=10.1.20.254/24 comment="Costas VLAN" interface="VLAN 20 - Costas" network=10.1.20.0
add address=10.1.120.254/24 comment="CL Guest VLAN" interface="VLAN 120 - CL Guest" network=10.1.120.0
add address=10.1.220.254/24 comment="CL_Selly VLAN" interface="VLAN 220 - CL_Shelly" network=10.1.220.0
add address=10.1.99.254/24 comment="Security VLAN" interface="VLAN 99 - Security" network=10.1.99.0
add address=10.1.100.253/24 interface="VLAN 1 - Native" network=10.1.100.0
/ip dhcp-server lease
add address=10.1.1.50 comment="Nova Costas" mac-address=B4:F2:E8:96:8B:64 server="Native DHCP"
add address=10.1.1.51 comment="Nova Philip" mac-address=E8:82:5B:5C:C5:07 server="Native DHCP"
add address=10.1.1.120 client-id=1:e4:8d:8c:ce:d1:a6 mac-address=E4:8D:8C:CE:D1:A6 server="Native DHCP"
add address=10.1.1.121 client-id=1:cc:2d:e0:96:96:cc mac-address=CC:2D:E0:96:96:CC server="Native DHCP"
add address=10.1.1.122 client-id=1:cc:2d:e0:9d:73:bc mac-address=CC:2D:E0:9D:73:BC server="Native DHCP"
add address=10.1.1.111 client-id=1:cc:2d:e0:96:92:f4 mac-address=CC:2D:E0:96:92:F4 server="Native DHCP"
add address=10.1.1.110 client-id=1:cc:2d:e0:96:95:da mac-address=CC:2D:E0:96:95:DA server="Native DHCP"
add address=10.1.1.112 mac-address=CC:2D:E0:7B:C5:EA server="Native DHCP"
/ip dhcp-server network
add address=10.1.1.0/24 comment="Common Network" dns-server=8.8.8.8,8.8.4.4 gateway=10.1.1.254
add address=10.1.10.0/24 comment="Philip Network" dns-server=1.1.1.1,1.0.0.1 gateway=10.1.10.1
add address=10.1.100.0/24 comment="Native Network" dns-server=1.1.1.1,1.0.0.1 gateway=10.1.100.254 netmask=24
add address=10.1.110.0/24 comment="PL Guest Network" dns-server=8.8.8.8,8.8.4.4 gateway=10.1.110.1
add address=10.1.210.0/24 comment="PL Shelly network " dns-server=1.1.1.1,1.0.0.1 gateway=10.1.210.1 ntp-server=10.1.1.240
/ip dns
set servers=1.1.1.1,1.0.0.1
/ip firewall address-list
add address=10.1.1.0/24 list=Common
add address=10.1.10.0/24 list=Philip
add address=10.1.20.0/24 list=Costas
add address=192.168.2.0/24 list=Office
add address=10.1.99.0/24 list=Security
add address=10.1.110.0/24 list="PL Guest"
add address=10.1.120.0/24 list="CL Guest"
add address=10.1.210.0/24 list=PL_Shelly
add address=10.1.220.0/24 list=CL_Shelly
add address=10.1.1.0/24 list=Local
add address=10.1.10.0/24 list=Local
add address=10.1.20.0/24 list=Local
add address=10.1.99.0/24 list=Local
add address=192.168.2.0/24 list=Local
add address=10.1.100.0/24 list=Local
add address=10.1.252.0/30 list=Local
add address=10.1.252.4/30 list=Local
add address=10.1.199.0/24 list=Local
/ip firewall filter
add action=accept chain=input protocol=ipsec-ah
add action=accept chain=input protocol=ipsec-esp
add action=accept chain=input port=500 protocol=udp
add action=accept chain=input port=4500 protocol=udp
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=input comment="VPN connections" dst-port=443 protocol=tcp
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=jump chain=input comment="Jump to DNS_DDoS Chain" jump-target=DNS_DDoS
add action=accept chain=DNS_DDoS comment="Make exceptions for DNS" port=53 protocol=udp src-address-list=DNS_Accept
add action=accept chain=DNS_DDoS comment="Make exceptions for DNS" dst-address-list=DNS_Accept port=53 protocol=tcp
add action=add-src-to-address-list address-list=DNS_DDoS address-list-timeout=none-dynamic chain=DNS_DDoS comment="Add DNS_DDoS Offenders to Blacklist" port=53 protocol=udp src-address-list=!DNS_Accept
add action=drop chain=DNS_DDoS comment="Drop DNS_DDoS Offenders" src-address-list=DNS_DDoS
add action=return chain=DNS_DDoS comment="Return from DNS_DDoS Chain"
add action=accept chain=icmp comment="Echo reply" icmp-options=0:0 protocol=icmp
add action=accept chain=icmp comment="Net unreachable" icmp-options=3:0 protocol=icmp
add action=accept chain=icmp comment="Host unreachable" icmp-options=3:1 protocol=icmp
add action=accept chain=icmp comment="Allow source quench" icmp-options=4:0 protocol=icmp
add action=accept chain=icmp comment="Allow echo request" icmp-options=8:0 protocol=icmp
add action=accept chain=icmp comment="Allow time exceed" icmp-options=11:0 protocol=icmp
add action=accept chain=icmp comment="Allow parameter bad" icmp-options=12:0 protocol=icmp
add action=drop chain=icmp comment="Deny all other types"
add action=drop chain=input comment="Disable ICMP ping" in-interface=pppoe-Philip protocol=icmp
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="Port scanners to list " in-interface=pppoe-Philip protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="NMAP FIN Stealth scan" protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="SYN/FIN scan" protocol=tcp tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="SYN/RST scan" protocol=tcp tcp-flags=syn,rst
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="FIN/PSH/URG scan" protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="ALL/ALL scan" protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="NMAP NULL scan" protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=input comment="Dropping port scanners" src-address-list="port scanners"
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=accept chain=input in-interface=pppoe-Philip
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=drop chain=input comment="defconf: drop all not coming from LAN" disabled=yes in-interface-list=!LAN
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
/ip firewall mangle
add action=mark-routing chain=prerouting dst-address-list=Local new-routing-mark=Intervlan passthrough=no src-address-list=Local
add action=mark-routing chain=prerouting dst-address-list=Local in-interface=bridge new-routing-mark=Intervlan passthrough=no
add action=mark-routing chain=prerouting dst-address-type=!local new-routing-mark=Nova_Costas passthrough=no src-address=10.1.1.50
add action=mark-routing chain=prerouting new-routing-mark=Nova_Philip passthrough=no src-address=10.1.1.51 src-address-type=!local
add action=mark-routing chain=prerouting dst-address-list=!Local dst-address-type=!local new-routing-mark=Common passthrough=yes src-address-list=Common
add action=mark-routing chain=prerouting dst-address-list=!Local dst-address-type=!local new-routing-mark=Philip passthrough=yes src-address-list=Philip
add action=mark-routing chain=prerouting dst-address-list=!Local dst-address-type=!local new-routing-mark=Costas passthrough=yes src-address-list=Costas
add action=mark-routing chain=prerouting dst-address-list=!Local dst-address-type="" new-routing-mark=CL_Guest passthrough=no src-address-list="CL Guest"
add action=mark-routing chain=prerouting dst-address-list=!Local dst-address-type="" new-routing-mark=PL_Guest passthrough=no src-address-list="PL Guest"
add action=mark-routing chain=prerouting dst-address-list=!Local dst-address-type=!local new-routing-mark=PL_Shelly passthrough=yes src-address-list=PL_Shelly
add action=mark-routing chain=prerouting dst-address-list=!Local dst-address-type=!local new-routing-mark=CL_Shelly passthrough=yes src-address-list=CL_Shelly
add action=change-mss chain=forward new-mss=1452 out-interface=pppoe-Philip passthrough=yes protocol=tcp tcp-flags=syn,!rst tcp-mss=1453-65535
add action=change-mss chain=forward in-interface=pppoe-Philip new-mss=1452 passthrough=yes protocol=tcp tcp-flags=syn,!rst tcp-mss=1453-65535
/ip firewall nat
add action=accept chain=input in-interface=bridge ipsec-policy=in,ipsec
add action=accept chain=srcnat dst-address=192.168.2.0/24 src-address=10.1.1.0/24
add action=accept chain=srcnat dst-address=192.168.2.0/24 src-address=10.1.10.0/24
add action=accept chain=srcnat dst-address=192.168.2.0/24 src-address=10.1.20.0/24
add action=accept chain=srcnat dst-address=192.168.2.0/24 src-address=10.1.99.0/24
add action=accept chain=srcnat dst-address=192.168.2.0/24 src-address=10.1.120.0/24
add action=accept chain=srcnat dst-address=192.168.2.0/24 src-address=10.1.110.0/24
add action=accept chain=srcnat dst-address=192.168.2.0/24 src-address=10.1.210.0/24
add action=accept chain=srcnat dst-address=192.168.2.0/24 src-address=10.1.220.0/24
add action=masquerade chain=srcnat comment="NAT for Modem" dst-address=10.1.252.2 out-interface=ether24 src-address-list=Local
add action=masquerade chain=srcnat out-interface=pppoe-Philip
/ip firewall service-port
set sip disabled=yes
/ip route
add check-gateway=ping distance=1 gateway=10.1.1.254 routing-mark=Nova_Costas
add check-gateway=ping distance=1 gateway=pppoe-Philip routing-mark=Nova_Philip
add check-gateway=ping distance=1 gateway=10.1.1.254 routing-mark=Common
add check-gateway=ping distance=2 gateway=pppoe-Philip routing-mark=Common
add check-gateway=ping distance=1 gateway=pppoe-Philip routing-mark=Philip
add check-gateway=ping distance=2 gateway=10.1.1.254 routing-mark=Philip
add check-gateway=ping distance=1 gateway=10.1.1.254 routing-mark=Costas
add check-gateway=ping distance=2 gateway=pppoe-Philip routing-mark=Costas
add check-gateway=ping distance=1 gateway=10.1.1.254 routing-mark=CL_Guest
add check-gateway=ping distance=1 gateway=pppoe-Philip routing-mark=PL_Guest
add check-gateway=ping distance=1 gateway=pppoe-Philip routing-mark=PL_Shelly
add check-gateway=ping distance=2 gateway=10.1.1.254 routing-mark=PL_Shelly
add check-gateway=ping distance=1 gateway=10.1.1.254 routing-mark=CL_Shelly
add check-gateway=ping distance=2 gateway=pppoe-Philip routing-mark=CL_Shelly
add check-gateway=ping distance=1 gateway=pppoe-Philip
add check-gateway=ping distance=1 gateway=10.1.1.254
add check-gateway=ping distance=2 gateway=pppoe-Philip
add distance=1 dst-address=192.168.2.0/24 gateway=10.1.1.254
add check-gateway=ping distance=1 dst-address=xxx.xxx.xxx.xxx/32 gateway=10.1.1.254
add check-gateway=ping distance=2 dst-address=xxx.xxx.xxx.xxx/32 gateway=pppoe-Philip
/ip service
set telnet address=10.1.0.0/16,192.168.2.0/24
set ftp address=10.1.0.0/16,192.168.2.0/24
set www address=10.1.0.0/16,192.168.2.0/24
set ssh address=10.1.0.0/16,192.168.2.0/24
set api address=10.1.0.0/16,192.168.2.0/24
set winbox address=10.1.0.0/16,192.168.2.0/24
set api-ssl address=10.1.0.0/16,192.168.2.0/24
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/ppp secret
add name=******** password=*********** service=ovpn
/system clock
set time-zone-name=Europe/Athens
/system identity
set name="Switch Philip"
/system ntp client
set enabled=yes primary-ntp=194.177.210.54 secondary-ntp=62.217.127.33 server-dns-names=gr.pool.ntp.org
/system routerboard settings
set boot-os=router-os

And the one from 10.1.1.254:

/caps-man channel
add band=2ghz-b/g/n control-channel-width=20mhz extension-channel=disabled frequency=2412 name=ch_01_2400_20_bgn
add band=2ghz-b/g/n control-channel-width=20mhz extension-channel=disabled frequency=2417 name=ch_02_2400_20_bgn
add band=2ghz-b/g/n control-channel-width=20mhz extension-channel=disabled frequency=2422 name=ch_03_2400_20_bgn
add band=2ghz-b/g/n control-channel-width=20mhz extension-channel=disabled frequency=2427 name=ch_04_2400_20_bgn
add band=2ghz-b/g/n control-channel-width=20mhz extension-channel=disabled frequency=2432 name=ch_05_2400_20_bgn
add band=2ghz-b/g/n control-channel-width=20mhz extension-channel=disabled frequency=2437 name=ch_06_2400_20_bgn
add band=2ghz-b/g/n control-channel-width=20mhz extension-channel=disabled frequency=2442 name=ch_07_2400_20_bgn
add band=2ghz-b/g/n control-channel-width=20mhz extension-channel=disabled frequency=2447 name=ch_08_2400_20_bgn
add band=2ghz-b/g/n control-channel-width=20mhz extension-channel=disabled frequency=2452 name=ch_09_2400_20_bgn
add band=2ghz-b/g/n control-channel-width=20mhz extension-channel=disabled frequency=2457 name=ch_10_2400_20_bgn
add band=2ghz-b/g/n control-channel-width=20mhz extension-channel=disabled frequency=2462 name=ch_11_2400_20_bgn
add band=2ghz-b/g/n control-channel-width=20mhz extension-channel=disabled frequency=2467 name=ch_12_2400_20_bgn
add band=2ghz-b/g/n control-channel-width=20mhz extension-channel=disabled frequency=2472 name=ch_13_2400_20_bgn
/interface bridge
add admin-mac=74:4D:28:E3:E8:86 auto-mac=no comment=defconf name=bridge vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment="*** PC office ***"
set [ find default-name=ether2 ] comment="*** Sony TV/PS4/Home Cinema ***"
set [ find default-name=ether3 ] comment="*** COMfortel 3600IP ***"
set [ find default-name=ether4 ] comment="*** COMfortel WS-Base ***"
set [ find default-name=ether5 ] comment="*** AP basement ***"
set [ find default-name=ether6 ] comment="*** AP ground floor ***"
set [ find default-name=ether7 ] comment="*** AP 1st floor ***"
set [ find default-name=ether8 ] comment="*** NAS ***"
set [ find default-name=ether22 ] comment="*** Link ***"
set [ find default-name=ether23 ] poe-out=off
set [ find default-name=ether24 ] comment="*** Modem ***"
set [ find default-name=sfp-sfpplus1 ] auto-negotiation=no comment="*** Link ***" disabled=yes speed=10Gbps
set [ find default-name=sfp-sfpplus2 ] disabled=yes
set [ find default-name=sfp-sfpplus3 ] disabled=yes
set [ find default-name=sfp-sfpplus4 ] disabled=yes
/interface pppoe-client
add allow=pap,chap disabled=no interface=ether24 keepalive-timeout=900 max-mru=1492 max-mtu=1492 name=pppoe-Costas password=o5-1mlc user=oujphk@otenet.gr
/interface vlan
add comment=Native interface=bridge mtu=1492 name="VLAN 1 - Native" vlan-id=1
add comment=Philip interface=bridge mtu=1492 name="VLAN 10 - Philip" vlan-id=10
add comment=Costas interface=bridge mtu=1492 name="VLAN 20 - Costas" vlan-id=20
add comment=Security interface=bridge mtu=1492 name="VLAN 99 - Security" vlan-id=99
add comment=Common interface=bridge name="VLAN 100 - Common" vlan-id=100
add comment="Philip guest " interface=bridge mtu=1492 name="VLAN 110 - PL Guest" vlan-id=110
add comment="Costas guest " interface=bridge mtu=1492 name="VLAN 120 - CL Guest" vlan-id=120
add comment=PL_Shelly interface=bridge mtu=1492 name="VLAN 210 - PL_Shelly" vlan-id=210
add comment=CL_Shelly interface=bridge mtu=1492 name="VLAN 220 - CL_Shelly" vlan-id=220
/caps-man datapath
add bridge=bridge client-to-client-forwarding=yes name=datapath1
/caps-man security
add authentication-types=wpa-psk,wpa2-psk encryption=aes-ccm name=Costas_sec passphrase=*****
add authentication-types=wpa-psk,wpa2-psk encryption=aes-ccm name=Philip_sec passphrase=*****
add authentication-types=wpa-psk,wpa2-psk encryption=aes-ccm name=CL_guest_sec passphrase=******
add authentication-types=wpa-psk,wpa2-psk encryption=aes-ccm name=PL_guest_sec passphrase=*****
add authentication-types=wpa-psk,wpa2-psk encryption=aes-ccm name=CLShelly passphrase=*****
add authentication-types=wpa-psk,wpa2-psk encryption=aes-ccm name=PLShelly passphrase=*****
/caps-man configuration
add country=greece datapath=datapath1 datapath.local-forwarding=yes datapath.vlan-id=20 datapath.vlan-mode=use-tag distance=indoors guard-interval=long hw-protection-mode=cts-to-self hw-retries=4 installation=indoor mode=ap name=CL rx-chains=0,1 security=Costas_sec \
    ssid=LCHome tx-chains=0,1
add country=greece datapath=datapath1 datapath.local-forwarding=yes datapath.vlan-id=10 datapath.vlan-mode=use-tag distance=indoors guard-interval=long hw-protection-mode=cts-to-self hw-retries=4 installation=indoor mode=ap name=PL rx-chains=0,1 security=Philip_sec \
    ssid="Philip Home" tx-chains=0,1
add country=greece datapath=datapath1 datapath.local-forwarding=yes datapath.vlan-id=110 datapath.vlan-mode=use-tag distance=indoors guard-interval=long hw-protection-mode=cts-to-self hw-retries=4 installation=indoor mode=ap name=PL_guest rx-chains=0,1 security=\
    PL_guest_sec ssid="Philip Guest" tx-chains=0,1
add country=greece datapath=datapath1 datapath.local-forwarding=yes datapath.vlan-id=120 datapath.vlan-mode=use-tag distance=indoors guard-interval=long hw-protection-mode=cts-to-self hw-retries=4 installation=indoor mode=ap name=CL_guest rx-chains=0,1 security=\
    CL_guest_sec ssid="Costas Guest" tx-chains=0,1
add country=greece datapath=datapath1 datapath.local-forwarding=yes datapath.vlan-id=220 datapath.vlan-mode=use-tag distance=indoors guard-interval=long hide-ssid=yes hw-protection-mode=cts-to-self hw-retries=4 installation=indoor mode=ap name="CL Shelly" rx-chains=\
    0,1 security=CLShelly ssid=CLShelly tx-chains=0,1
add country=greece datapath=datapath1 datapath.local-forwarding=yes datapath.vlan-id=210 datapath.vlan-mode=use-tag distance=indoors guard-interval=long hide-ssid=yes hw-protection-mode=cts-to-self hw-retries=4 installation=indoor mode=ap name="PL Shelly" rx-chains=\
    0,1 security=PLShelly ssid=PLShelly tx-chains=0,1
/caps-man interface
add configuration=CL disabled=no l2mtu=1600 mac-address=CC:2D:E0:9D:73:BD master-interface=none name="LC 1st floor -1" radio-mac=CC:2D:E0:9D:73:BD radio-name=CC2DE09D73BD
add configuration=PL disabled=no l2mtu=1600 mac-address=CE:2D:E0:9D:73:BD master-interface="LC 1st floor -1" name="LC 1st floor -1-1" radio-mac=00:00:00:00:00:00 radio-name=CE2DE09D73BD
add configuration=CL_guest disabled=no l2mtu=1600 mac-address=CE:2D:E0:9D:73:BE master-interface="LC 1st floor -1" name="LC 1st floor -1-2" radio-mac=00:00:00:00:00:00 radio-name=CE2DE09D73BE
add configuration=PL_guest disabled=no l2mtu=1600 mac-address=CE:2D:E0:9D:73:BF master-interface="LC 1st floor -1" name="LC 1st floor -1-3" radio-mac=00:00:00:00:00:00 radio-name=CE2DE09D73BF
add configuration="CL Shelly" disabled=no l2mtu=1600 mac-address=CE:2D:E0:9D:73:C0 master-interface="LC 1st floor -1" name="LC 1st floor -1-4" radio-mac=00:00:00:00:00:00 radio-name=CE2DE09D73C0
add configuration="PL Shelly" disabled=no l2mtu=1600 mac-address=CE:2D:E0:9D:73:C1 master-interface="LC 1st floor -1" name="LC 1st floor -1-5" radio-mac=00:00:00:00:00:00 radio-name=CE2DE09D73C1
add configuration=CL disabled=no l2mtu=1600 mac-address=E4:8D:8C:CE:D1:A7 master-interface=none name="LC basement-1" radio-mac=E4:8D:8C:CE:D1:A7 radio-name=E48D8CCED1A7
add configuration=PL disabled=no l2mtu=1600 mac-address=E6:8D:8C:CE:D1:A7 master-interface="LC basement-1" name="LC basement-1-1" radio-mac=00:00:00:00:00:00 radio-name=E68D8CCED1A7
add configuration=CL_guest disabled=no l2mtu=1600 mac-address=E6:8D:8C:CE:D1:A8 master-interface="LC basement-1" name="LC basement-1-2" radio-mac=00:00:00:00:00:00 radio-name=E68D8CCED1A8
add configuration=PL_guest disabled=no l2mtu=1600 mac-address=E6:8D:8C:CE:D1:A9 master-interface="LC basement-1" name="LC basement-1-3" radio-mac=00:00:00:00:00:00 radio-name=E68D8CCED1A9
add configuration="CL Shelly" disabled=no l2mtu=1600 mac-address=E6:8D:8C:CE:D1:AA master-interface="LC basement-1" name="LC basement-1-4" radio-mac=00:00:00:00:00:00 radio-name=E68D8CCED1AA
add configuration="PL Shelly" disabled=no l2mtu=1600 mac-address=E6:8D:8C:CE:D1:AB master-interface="LC basement-1" name="LC basement-1-5" radio-mac=00:00:00:00:00:00 radio-name=E68D8CCED1AB
add configuration=CL disabled=no l2mtu=1600 mac-address=CC:2D:E0:96:96:CD master-interface=none name="LC ground floor-1" radio-mac=CC:2D:E0:96:96:CD radio-name=CC2DE09696CD
add configuration=PL disabled=no l2mtu=1600 mac-address=CE:2D:E0:96:96:CD master-interface="LC ground floor-1" name="LC ground floor-1-1" radio-mac=00:00:00:00:00:00 radio-name=CE2DE09696CD
add configuration=CL_guest disabled=no l2mtu=1600 mac-address=CE:2D:E0:96:96:CE master-interface="LC ground floor-1" name="LC ground floor-1-2" radio-mac=00:00:00:00:00:00 radio-name=CE2DE09696CE
add configuration=PL_guest disabled=no l2mtu=1600 mac-address=CE:2D:E0:96:96:CF master-interface="LC ground floor-1" name="LC ground floor-1-3" radio-mac=00:00:00:00:00:00 radio-name=CE2DE09696CF
add configuration="CL Shelly" disabled=no l2mtu=1600 mac-address=CE:2D:E0:96:96:D0 master-interface="LC ground floor-1" name="LC ground floor-1-4" radio-mac=00:00:00:00:00:00 radio-name=CE2DE09696D0
add configuration="PL Shelly" disabled=no l2mtu=1600 mac-address=CE:2D:E0:96:96:D1 master-interface="LC ground floor-1" name="LC ground floor-1-5" radio-mac=00:00:00:00:00:00 radio-name=CE2DE09696D1
/interface list
add name=GW10
add name=GW20
add name=GW110
add name=GW120
add name=GW99
add name=GW210
add name=GW220
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip ipsec profile
add dh-group=modp1024 enc-algorithm=3des hash-algorithm=md5 lifetime=1d1h name=profile_1
add dh-group=modp1024 name=profile_2
/ip ipsec peer
add address=xxx.xxx.xxx.xxx/32 name=VPN profile=profile_1
add name=peer5 passive=yes profile=profile_2
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des
add auth-algorithms=md5 enc-algorithms=3des name=VPN pfs-group=none
/ip pool
add name=Costas ranges=10.1.20.50-10.1.20.99
add name="CL Guest" ranges=10.1.120.50-10.1.120.149
add name="CL Shelly" ranges=10.1.220.50-10.1.220.149
add name=Security ranges=10.1.99.50-10.1.99.99
add name=VPN ranges=10.1.20.190-10.1.20.199
/ip dhcp-server
add address-pool=Costas disabled=no interface="VLAN 20 - Costas" lease-time=1d name="Costas DHCP"
add address-pool="CL Guest" disabled=no interface="VLAN 120 - CL Guest" lease-time=30m name="CL Guest DHCP"
add address-pool="CL Shelly" disabled=no interface="VLAN 220 - CL_Shelly" lease-time=1d name="CL Shelly DHCP"
add address-pool=Security disabled=no interface="VLAN 99 - Security" lease-time=1d name="Security DHCP"
/ppp profile
add bridge=bridge dns-server=10.1.1.254 local-address=10.1.1.254 name=OVPNprofile remote-address=VPN
/caps-man manager
set ca-certificate=CAPsMAN-CA-8D58E7D1FAD5 certificate=CAPsMAN-8D58E7D1FAD5 enabled=yes
/caps-man manager interface
add disabled=no interface=bridge
/caps-man provisioning
add action=create-enabled hw-supported-modes=gn,b master-configuration=CL name-format=identity slave-configurations="PL,CL_guest,PL_guest,CL Shelly,PL Shelly"
/interface bridge port
add bridge=bridge comment=VLAN20 frame-types=admit-only-untagged-and-priority-tagged interface=ether1 pvid=20
add bridge=bridge comment=VLAN20 frame-types=admit-only-untagged-and-priority-tagged interface=ether2 pvid=20
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=ether3 pvid=100
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=ether4 pvid=100
add bridge=bridge comment=defconf interface=ether5 pvid=100
add bridge=bridge comment=defconf interface=ether6 pvid=100
add bridge=bridge comment=defconf interface=ether7 pvid=100
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=ether8 pvid=100
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=ether11
add bridge=bridge comment=defconf interface=ether12
add bridge=bridge comment=defconf interface=ether13
add bridge=bridge comment=defconf interface=ether14
add bridge=bridge comment=defconf interface=ether15
add bridge=bridge comment=defconf interface=ether16
add bridge=bridge comment=defconf interface=ether17
add bridge=bridge comment=defconf interface=ether18
add bridge=bridge comment=defconf interface=ether19
add bridge=bridge comment=defconf interface=ether20
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=ether21
add bridge=bridge comment=defconf interface=ether22
add bridge=bridge comment=defconf interface=ether23
add bridge=bridge comment=defconf interface=sfp-sfpplus1
add bridge=bridge comment=defconf interface=sfp-sfpplus2
add bridge=bridge comment=defconf interface=sfp-sfpplus3
add bridge=bridge comment=defconf interface=sfp-sfpplus4
add bridge=bridge frame-types=admit-only-vlan-tagged interface="VLAN 1 - Native"
add bridge=bridge frame-types=admit-only-vlan-tagged interface="VLAN 10 - Philip" pvid=10
add bridge=bridge frame-types=admit-only-vlan-tagged interface="VLAN 20 - Costas" pvid=20
add bridge=bridge frame-types=admit-only-vlan-tagged interface="VLAN 99 - Security" pvid=99
add bridge=bridge frame-types=admit-only-vlan-tagged interface="VLAN 110 - PL Guest" pvid=110
add bridge=bridge frame-types=admit-only-vlan-tagged interface="VLAN 120 - CL Guest" pvid=120
add bridge=bridge frame-types=admit-only-vlan-tagged interface="VLAN 210 - PL_Shelly" pvid=210
add bridge=bridge frame-types=admit-only-vlan-tagged interface="VLAN 220 - CL_Shelly" pvid=220
add bridge=bridge frame-types=admit-only-vlan-tagged interface="VLAN 100 - Common" pvid=100
/interface bridge settings
set use-ip-firewall-for-vlan=yes
/ip settings
set allow-fast-path=no
/interface bridge vlan
add bridge=bridge tagged="bridge,ether5,ether6,ether7,ether23,ether22,VLAN 10 - Philip" vlan-ids=10
add bridge=bridge tagged="ether5,bridge,ether6,ether7,ether23,ether22,VLAN 20 - Costas" vlan-ids=20
add bridge=bridge tagged="bridge,VLAN 1 - Native" vlan-ids=1
add bridge=bridge tagged="ether23,bridge,ether5,ether6,ether7,ether22,VLAN 110 - PL Guest" vlan-ids=110
add bridge=bridge tagged="ether23,bridge,ether5,ether6,ether7,ether22,VLAN 210 - PL_Shelly" vlan-ids=210
add bridge=bridge tagged="ether23,bridge,ether5,ether6,ether7,ether22,VLAN 220 - CL_Shelly" vlan-ids=220
add bridge=bridge tagged="ether23,bridge,ether5,ether6,ether7,ether22,VLAN 120 - CL Guest" vlan-ids=120
add bridge=bridge tagged="ether23,bridge,ether22,VLAN 99 - Security" vlan-ids=99
add bridge=bridge tagged="bridge,ether22,ether23,VLAN 100 - Common" vlan-ids=100
/interface list member
add interface=pppoe-Costas list=GW120
add interface=pppoe-Costas list=GW220
add interface=ether24 list=WAN
add interface=bridge list=LAN
add interface=pppoe-Costas list=WAN
/ip address
add address=10.1.1.254/24 comment=Common interface="VLAN 100 - Common" network=10.1.1.0
add address=10.1.20.1/24 comment="Costas Gateway" interface="VLAN 20 - Costas" network=10.1.20.0
add address=10.1.99.1/24 comment="Security Gateway" interface="VLAN 99 - Security" network=10.1.99.0
add address=10.1.110.254/24 comment="PL Guest VLAN" interface="VLAN 110 - PL Guest" network=10.1.110.0
add address=10.1.120.1/24 comment="CL Guest Gateway" interface="VLAN 120 - CL Guest" network=10.1.120.0
add address=10.1.210.254/24 comment="PL Shelly Gateway" interface="VLAN 210 - PL_Shelly" network=10.1.210.0
add address=10.1.220.1/24 comment="CL Shelly Gateway" interface="VLAN 220 - CL_Shelly" network=10.1.220.0
add address=10.1.252.5/30 interface=ether24 network=10.1.252.4
add address=10.1.10.254/24 comment="Philip VLAN" interface="VLAN 10 - Philip" network=10.1.10.0
add address=10.1.100.254/24 interface="VLAN 1 - Native" network=10.1.100.0
/ip dhcp-server lease
add address=10.1.20.161 client-id=1:cc:98:8b:1c:2b:da mac-address=CC:98:8B:1C:2B:DA server="Costas DHCP"
add address=10.1.20.162 client-id=1:bc:60:a7:f5:9e:c1 mac-address=BC:60:A7:F5:9E:C1 server="Costas DHCP"
add address=10.1.20.160 client-id=1:70:26:5:2b:a8:da mac-address=70:26:05:2B:A8:DA server="Costas DHCP"
add address=10.1.20.150 client-id=1:0:1f:c6:ca:15:87 mac-address=00:1F:C6:CA:15:87 server="Costas DHCP"
add address=10.1.20.140 mac-address=04:CF:8C:FA:36:F1 server="Costas DHCP"
/ip dhcp-server network
add address=10.1.20.0/24 comment="Costas Network" dns-server=1.1.1.1,1.0.0.1 gateway=10.1.20.1
add address=10.1.99.0/24 comment="Security Network" dns-server=8.8.8.8,8.8.4.4 gateway=10.1.99.1
add address=10.1.120.0/24 comment="Costas Guest" dns-server=8.8.8.8,8.8.4.4 gateway=10.1.120.1
add address=10.1.220.0/24 comment="CL Shelly" dns-server=8.8.8.8,8.8.4.4 gateway=10.1.220.1
/ip dns
set servers=1.1.1.1,1.0.0.1
/ip firewall address-list
add address=10.1.1.0/24 list=Common
add address=10.1.10.0/24 list=Philip
add address=10.1.20.0/24 list=Costas
add address=192.168.2.0/24 list=Office
add address=10.1.99.0/24 list=Security
add address=10.1.110.0/24 list="PL Guest"
add address=10.1.120.0/24 list="CL Guest"
add address=10.1.210.0/24 list=PL_Shelly
add address=10.1.220.0/24 list=CL_Shelly
add address=10.1.1.0/24 list=Local
add address=10.1.10.0/24 list=Local
add address=10.1.20.0/24 list=Local
add address=192.168.2.0/24 list=Local
add address=10.1.252.4/30 list=Local
add address=10.1.100.0/24 list=Local
add address=10.1.252.0/30 list=Local
add address=10.1.199.0/24 list=Local
/ip firewall filter
add action=accept chain=input protocol=ipsec-ah
add action=accept chain=input protocol=ipsec-esp
add action=accept chain=input port=500 protocol=udp
add action=accept chain=input port=4500 protocol=udp
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=input comment="VPN connections" dst-port=443 protocol=tcp
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=jump chain=input comment="Jump to DNS_DDoS Chain" jump-target=DNS_DDoS
add action=accept chain=DNS_DDoS comment="Make exceptions for DNS" port=53 protocol=udp src-address-list=DNS_Accept
add action=accept chain=DNS_DDoS comment="Make exceptions for DNS" dst-address-list=DNS_Accept port=53 protocol=tcp
add action=add-src-to-address-list address-list=DNS_DDoS address-list-timeout=none-dynamic chain=DNS_DDoS comment="Add DNS_DDoS Offenders to Blacklist" port=53 protocol=udp src-address-list=!DNS_Accept
add action=drop chain=DNS_DDoS comment="Drop DNS_DDoS Offenders" src-address-list=DNS_DDoS
add action=return chain=DNS_DDoS comment="Return from DNS_DDoS Chain"
add action=accept chain=icmp comment="Echo reply" icmp-options=0:0 protocol=icmp
add action=accept chain=icmp comment="Net unreachable" icmp-options=3:0 protocol=icmp
add action=accept chain=icmp comment="Host unreachable" icmp-options=3:1 protocol=icmp
add action=accept chain=icmp comment="Allow source quench" icmp-options=4:0 protocol=icmp
add action=accept chain=icmp comment="Allow echo request" icmp-options=8:0 protocol=icmp
add action=accept chain=icmp comment="Allow time exceed" icmp-options=11:0 protocol=icmp
add action=accept chain=icmp comment="Allow parameter bad" icmp-options=12:0 protocol=icmp
add action=drop chain=icmp comment="Deny all other types"
add action=drop chain=input comment="Disable ICMP ping" in-interface=pppoe-Costas protocol=icmp
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="Port scanners to list " in-interface=pppoe-Costas protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="NMAP FIN Stealth scan" protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="SYN/FIN scan" protocol=tcp tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="SYN/RST scan" protocol=tcp tcp-flags=syn,rst
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="FIN/PSH/URG scan" protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="ALL/ALL scan" protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="NMAP NULL scan" protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=input comment="Dropping port scanners" src-address-list="port scanners"
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=accept chain=input in-interface=pppoe-Costas
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=drop chain=input comment="defconf: drop all not coming from LAN" disabled=yes in-interface-list=!LAN
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
/ip firewall mangle
add action=mark-routing chain=prerouting dst-address-list=Local new-routing-mark=Intervlan passthrough=no src-address-list=Local
add action=mark-routing chain=prerouting dst-address-list=Local in-interface=bridge new-routing-mark=Intervlan passthrough=no
add action=mark-routing chain=prerouting dst-address-type=!local new-routing-mark=Nova_Costas passthrough=no src-address=10.1.1.50
add action=mark-routing chain=prerouting new-routing-mark=Nova_Philip passthrough=no src-address=10.1.1.51 src-address-type=!local
add action=mark-routing chain=prerouting dst-address-list=!Local new-routing-mark=Common passthrough=no src-address-list=Common
add action=mark-routing chain=prerouting dst-address-list=!Local new-routing-mark=Philip passthrough=yes src-address-list=Philip
add action=mark-routing chain=prerouting dst-address-list=!Local new-routing-mark=Costas passthrough=yes src-address-list=Costas
add action=mark-routing chain=prerouting dst-address-list=!Local new-routing-mark=PL_Shelly passthrough=yes src-address-list=PL_Shelly
add action=mark-routing chain=prerouting dst-address-list=!Local new-routing-mark=CL_Shelly passthrough=yes src-address-list=CL_Shelly
add action=mark-routing chain=prerouting dst-address-list=!Local new-routing-mark=Security passthrough=yes src-address-list=Security
add action=mark-routing chain=prerouting dst-address-list=!Local new-routing-mark=CL_Guest passthrough=no src-address-list="CL Guest"
add action=mark-routing chain=prerouting dst-address-list=!Local new-routing-mark=PL_Guest passthrough=no src-address-list="PL Guest"
add action=change-mss chain=forward new-mss=1452 out-interface=pppoe-Costas passthrough=yes protocol=tcp tcp-flags=syn,!rst tcp-mss=1453-65535
add action=change-mss chain=forward in-interface=pppoe-Costas new-mss=1452 passthrough=yes protocol=tcp tcp-flags=syn,!rst tcp-mss=1453-65535
/ip firewall nat
add action=accept chain=input in-interface=bridge ipsec-policy=in,ipsec
add action=accept chain=srcnat dst-address=192.168.2.0/24 src-address=10.1.1.0/24
add action=accept chain=srcnat dst-address=192.168.2.0/24 src-address=10.1.10.0/24
add action=accept chain=srcnat dst-address=192.168.2.0/24 src-address=10.1.20.0/24
add action=accept chain=srcnat dst-address=192.168.2.0/24 src-address=10.1.99.0/24
add action=accept chain=srcnat dst-address=192.168.2.0/24 src-address=10.1.100.0/24
add action=accept chain=srcnat dst-address=192.168.2.0/24 src-address=10.1.120.0/24
add action=accept chain=srcnat dst-address=192.168.2.0/24 src-address=10.1.110.0/24
add action=accept chain=srcnat dst-address=192.168.2.0/24 src-address=10.1.210.0/24
add action=accept chain=srcnat dst-address=192.168.2.0/24 src-address=10.1.220.0/24
add action=accept chain=srcnat dst-address=192.168.2.0/24 src-address=10.1.252.0/30
add action=accept chain=srcnat dst-address=192.168.2.0/24 src-address=10.1.252.4/30
add action=masquerade chain=srcnat comment="NAT for Modem" dst-address=10.1.252.6 out-interface=ether24 src-address-list=Local
add action=masquerade chain=srcnat out-interface=pppoe-Costas
/ip firewall service-port
set sip disabled=yes
/ip ipsec identity
add peer=VPN secret=*****
add auth-method=pre-shared-key-xauth password=***** peer=peer5 secret=***** username=clouk
/ip ipsec policy
add dst-address=192.168.2.0/24 level=unique peer=VPN proposal=proposal sa-dst-address=xxx.xxx.xxx.xxx sa-src-address=10.1.1.254 src-address=10.1.10.0/24 tunnel=yes
add dst-address=192.168.2.0/24 level=unique peer=VPN proposal=proposal sa-dst-address=xxx.xxx.xxx.xxx sa-src-address=10.1.1.254 src-address=10.1.20.0/24 tunnel=yes
add dst-address=192.168.2.0/24 level=unique peer=VPN proposal=proposal sa-dst-address=xxx.xxx.xxx.xxx sa-src-address=0.0.0.0 src-address=10.1.1.0/24 tunnel=yes
add dst-address=192.168.2.0/24 level=unique peer=VPN proposal=proposal sa-dst-address=xxx.xxx.xxx.xxx sa-src-address=10.1.1.254 src-address=10.1.99.0/24 tunnel=yes
add dst-address=192.168.2.0/24 level=unique peer=VPN proposal=proposal sa-dst-address=xxx.xxx.xxx.xxx sa-src-address=10.1.1.254 src-address=10.1.210.0/24 tunnel=yes
add dst-address=192.168.2.0/24 level=unique peer=VPN proposal=proposal sa-dst-address=xxx.xxx.xxx.xxx sa-src-address=10.1.1.254 src-address=10.1.220.0/24 tunnel=yes
add dst-address=192.168.2.0/24 level=unique peer=VPN proposal=proposal sa-dst-address=xxx.xxx.xxx.xxx sa-src-address=10.1.1.254 src-address=10.1.100.0/24 tunnel=yes
add dst-address=192.168.2.0/24 level=unique peer=VPN proposal=proposal sa-dst-address=xxx.xxx.xxx.xxx sa-src-address=10.1.1.254 src-address=10.1.252.0/30 tunnel=yes
add dst-address=192.168.2.0/24 level=unique peer=VPN proposal=proposal sa-dst-address=xxx.xxx.xxx.xxx sa-src-address=10.1.1.254 src-address=10.1.252.4/30 tunnel=yes
/ip route
add check-gateway=ping distance=1 gateway=pppoe-Costas routing-mark=Nova_Costas
add check-gateway=ping distance=1 gateway=10.1.1.253 routing-mark=Nova_Philip
add check-gateway=ping distance=1 gateway=pppoe-Costas routing-mark=Common
add check-gateway=ping distance=2 gateway=10.1.1.253 routing-mark=Common
add check-gateway=ping distance=1 gateway=10.1.1.253 routing-mark=Philip
add check-gateway=ping distance=2 gateway=pppoe-Costas routing-mark=Philip
add check-gateway=ping distance=1 gateway=pppoe-Costas routing-mark=Costas
add check-gateway=ping distance=2 gateway=10.1.1.253 routing-mark=Costas
add check-gateway=ping distance=1 gateway=10.1.1.253 routing-mark=PL_Shelly
add check-gateway=ping distance=2 gateway=pppoe-Costas routing-mark=PL_Shelly
add check-gateway=ping distance=1 gateway=pppoe-Costas routing-mark=CL_Shelly
add check-gateway=ping distance=2 gateway=10.1.1.253 routing-mark=CL_Shelly
add check-gateway=ping distance=1 gateway=pppoe-Costas routing-mark=Security
add check-gateway=ping distance=2 gateway=10.1.1.253 routing-mark=Security
add check-gateway=ping distance=1 gateway=pppoe-Costas routing-mark=CL_Guest
add check-gateway=ping distance=1 gateway=10.1.1.253 routing-mark=PL_Guest
add check-gateway=ping distance=1 gateway=pppoe-Costas
add check-gateway=ping distance=2 gateway=10.1.1.253
add check-gateway=ping distance=1 dst-address=10.1.252.0/30 gateway=10.1.1.253
add check-gateway=ping distance=1 dst-address=xxx.xxx.xxx.xxx/32 gateway=pppoe-Costas
add check-gateway=ping distance=2 dst-address=xxx.xxx.xxx.xxx/32 gateway=10.1.1.253
/ip service
set telnet address=10.1.0.0/16,192.168.2.0/24
set ftp address=10.1.0.0/16,192.168.2.0/24
set www address=10.1.0.0/16,192.168.2.0/24
set ssh address=10.1.0.0/16,192.168.2.0/24
set api address=10.1.0.0/16,192.168.2.0/24
set winbox address=10.1.0.0/16,192.168.2.0/24
set api-ssl address=10.1.0.0/16,192.168.2.0/24
/ppp secret
add name=clouk password=******* service=ovpn
/system clock
set time-zone-name=Europe/Athens
/system identity
set name="Switch Costas"
/system ntp client
set enabled=yes primary-ntp=194.177.210.54 secondary-ntp=62.217.127.33 server-dns-names=gr.pool.ntp.org
/system routerboard settings
set boot-os=router-os

Any help would be very welcome.
Thank you very much in advance!

mkx · March 13, 2020, 4:21pm

You have a mess of VLAN interfaces… when you create them in /interface vlan, you have to bind them to some L2 interface. In your case binding them to interface bridge.
Next you never ever add VLAN interfaces to bridge (in /interface bridge port or /interface bridge vlan) as tagged or untagged ports. You shoukd, however, add bridge interface as tagged member of VLAN when you created vlan interface (bound to bridge interface) with corresponding VID (in /interface bridge vlan).

And last: both CRSes are set up for inter-VLAN routing … which means you likely have routing triangles (packet passing one router on the way there and passing the other one on the way back), which messes connection state machinery … and firewall uses that.

sxbcl · March 13, 2020, 8:52pm

Thank you very much for spending some time with this.

So, I guess the best way to go would be split the VLANs to the two switches and make static routes from one to the other for the VLANs each one doesn’t have an IP, right?

BR
Costas

mkx · March 14, 2020, 9:34am

If you don’t have a really good reason for symetrical VLAN setup (e.g. all VLANs are present on both routers), you’d make yourself a favour if you clearly separated both LANs and then you’d establish a few static routes between different VLANs. As things are now, the overlapping addressing (and DHCP server address pools) don’t make things easier either…