Hi there,
my question is:
I am getting a VLAN 100 from ETH 3 via DHCP Client. I can forward this VLAN to the Switches witch are after the Router but they can not access the Internet. If I am trying to test the connection from ETH3 on my Laptop I have Internet. I think my Router blocks or does not enable Ineternet connection because it is not configured.
Is there something missing in the Firewall rule or routes?
I guess…YES, something is missing.
Please share your configuration so we can provide you with some meaningful information:
/export hide-sensitive file=anynameyoulike (and remove any personal information from it)
A network diagram helps to show us the equipment involved, what is connected to all ports and conceptually what traffic flows there should be.
Hi, there here is the configfile:
/caps-man channel
add band=2ghz-g/n control-channel-width=20mhz extension-channel=disabled
name="2.4GHz Standard"
/caps-man configuration
add name=Missing
/interface bridge
add name=DisplaySSID protocol-mode=none
add name=bridge_vlan100 protocol-mode=none
add name=hsia protocol-mode=none
add name=mgmt protocol-mode=none
add name=tv protocol-mode=none
/interface ethernet
set [ find default-name=ether1 ] comment=wan1
set [ find default-name=ether2 ] comment=wan2
set [ find default-name=ether3 ] comment=Officenetz
set [ find default-name=ether4 ] comment=hsia-bridge-port
set [ find default-name=ether5 ] comment=mgmnt-bridge-port
set [ find default-name=ether6 ] comment=localbreakout
set [ find default-name=ether7 ] comment="MGMT Port2"
/interface vlan
add interface=ether3 name=vlan100 use-service-tag=yes vlan-id=100
add interface=ether5 name=vlan100_office use-service-tag=yes vlan-id=100
/caps-man datapath
add bridge=hsia client-to-client-forwarding=no local-forwarding=no name=
hsiapath
add bridge=DisplaySSID client-to-client-forwarding=yes local-forwarding=no
name=DisplaySSIDpath
/caps-man security
add name=hsiasec
add authentication-types=wpa2-psk encryption=aes-ccm group-encryption=aes-ccm
name=DisplaySSIDsec
/caps-man configuration
add channel="2.4GHz Standard" channel.frequency=2412 country=germany
datapath=hsiapath mode=ap name="2.4GHz CH01" security=hsiasec ssid=
RekaDisentis
add channel="2.4GHz Standard" channel.frequency=2437 country=germany
datapath=hsiapath mode=ap name="2.4GHz CH06" security=hsiasec ssid=
RekaDisentis
add channel="2.4GHz Standard" channel.frequency=2462 country=germany
datapath=hsiapath mode=ap name="2.4GHz CH11" security=hsiasec ssid=
RekaDisentis
add channel.band=5ghz-onlyac channel.control-channel-width=20mhz
channel.extension-channel=Ceee channel.reselect-interval=12h
channel.save-selected=yes country="etsi 5.5-5.7 outdoor" datapath=
hsiapath mode=ap name=5G_band rx-chains=0,1,2 security=hsiasec ssid=
RekaDisentis tx-chains=0,1,2
add channel.band=5ghz-a/n channel.control-channel-width=20mhz
channel.extension-channel=Ce channel.reselect-interval=12h
channel.save-selected=yes country="etsi 5.5-5.7 outdoor" datapath=
hsiapath mode=ap name=5G_band_an rx-chains=0,1,2 security=hsiasec ssid=
RekaDisentis tx-chains=0,1,2
add datapath=DisplaySSIDpath name=DisplaySSID-cfg security=DisplaySSIDsec
ssid=DisentisDisplay
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=pool_hsia ranges=10.10.192.2-10.10.255.254
add name=pool_mgmt ranges=172.20.44.5-172.20.44.254
add name=pool_DisplaySSID ranges=192.168.10.10-192.168.10.254
/ip dhcp-server
add add-arp=yes address-pool=pool_hsia disabled=no interface=hsia lease-time=
1d name=server_hsia
add add-arp=yes address-pool=pool_mgmt disabled=no interface=mgmt lease-time=
12w6d name=server_mgmt
add add-arp=yes address-pool=pool_DisplaySSID disabled=no interface=
DisplaySSID lease-time=1w name=server_DisplaySSID
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas
sword,web,sniff,sensitive,api,romon,dude,tikapp"
/caps-man manager
set ca-certificate=auto certificate=auto enabled=yes package-path=pub
/caps-man provisioning
add action=create-dynamic-enabled hw-supported-modes=g identity-regexp=
--2.4CH01 master-configuration="2.4GHz CH01" name-format=prefix-identity
slave-configurations=DisplaySSID-cfg
add action=create-dynamic-enabled hw-supported-modes=g identity-regexp=
--2.4CH06 master-configuration="2.4GHz CH06" name-format=prefix-identity
slave-configurations=DisplaySSID-cfg
add action=create-dynamic-enabled hw-supported-modes=g identity-regexp=
--2.4CH11 master-configuration="2.4GHz CH11" name-format=prefix-identity
slave-configurations=DisplaySSID-cfg
add action=create-dynamic-enabled hw-supported-modes=ac master-configuration=
5G_band name-format=prefix-identity slave-configurations=DisplaySSID-cfg
add action=create-dynamic-enabled hw-supported-modes=an master-configuration=
5G_band_an name-format=prefix-identity slave-configurations=
DisplaySSID-cfg
add comment=CatchAll master-configuration=Missing
/interface bridge filter
add action=drop chain=forward comment="Prevent Intra-BSS attacks" in-bridge=
hsia out-bridge=hsia
/interface bridge port
add bridge=hsia interface=ether4
add bridge=mgmt interface=ether7
add bridge=mgmt interface=ether5
add bridge=bridge_vlan100 interface=ether3 multicast-router=disabled pvid=100
add bridge=bridge_vlan100 interface=vlan100 multicast-router=disabled
/interface bridge settings
set use-ip-firewall=yes
/ip firewall connection tracking
set enabled=yes
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ip settings
set secure-redirects=no tcp-syncookies=yes
/interface bridge vlan
add bridge=bridge_vlan100 tagged=ether5 vlan-ids=100
/ip address
add address=10.10.192.1/18 comment=hotspot interface=hsia network=10.10.192.0
add address=172.20.44.1/24 comment=mgmnt interface=mgmt network=172.20.44.0
add address=192.168.10.1/24 comment=DisplaySSID interface=DisplaySSID
network=192.168.10.0
add address=172.16.6.1/24 interface=ether3 network=172.16.6.0
/ip dhcp-client
add disabled=no interface=ether1 use-peer-dns=no use-peer-ntp=no
add add-default-route=no interface=bridge_vlan100 use-peer-dns=no
use-peer-ntp=no
add add-default-route=no disabled=no interface=bridge_vlan100 use-peer-dns=no
use-peer-ntp=no
/ip dhcp-server alert
add disabled=no interface=hsia on-alert=":log info bad_DHCP_Server"
add disabled=no interface=DisplaySSID on-alert=
":log info DisplaySSID - anderer DHCP Server"
/ip dhcp-server network
add address=10.10.192.0/18 dns-server=10.10.192.1 gateway=10.10.192.1
netmask=18 ntp-server=10.10.192.1
add address=172.20.44.0/24 dns-server=172.20.44.1 gateway=172.20.44.1
netmask=24 ntp-server=172.20.44.1
add address=192.168.10.0/24 dns-server=192.168.10.1 gateway=192.168.10.1
netmask=24 ntp-server=192.168.10.1
/ip firewall address-list
add address=172.16.60.0/24 list=RZ
add address=10.255.244.0/22 list=RZ
add address=10.255.252.0/22 list=RZ
add address=172.16.6.0 list=Office
/ip firewall filter
add chain=forward dst-address=10.10.192.0/18 src-address=172.16.60.0/24
add chain=forward dst-address=172.16.60.0/24 src-address=10.10.192.0/18
add action=passthrough chain=unused-hs-chain comment=
"place hotspot rules here" disabled=yes
add action=drop chain=input comment="drop external ntp" dst-port=123
in-interface=ether1 protocol=udp
add action=drop chain=input comment="drop external ntp" dst-port=123
in-interface=ether2 protocol=udp
add action=drop chain=input comment="drop external dns" dst-port=53
in-interface=ether1 protocol=udp
add action=drop chain=input comment="drop external dns" dst-port=53
in-interface=ether1 protocol=tcp
add action=drop chain=input comment="drop external dns" dst-port=53
in-interface=ether2 protocol=udp
add action=drop chain=input comment="drop external dns" dst-port=53
in-interface=ether2 protocol=tcp
add action=drop chain=forward comment="tv to mgmt" in-interface=tv
log-prefix=DROP_FW out-interface=mgmt
add chain=input connection-state=established,related
add chain=input protocol=icmp src-address=10.10.192.0/18
add action=drop chain=forward comment="block multicast" src-address-type=
multicast
add action=drop chain=forward comment="clients to mgmnt-lan" dst-address=
172.20.44.0/24 src-address=10.10.192.0/18
add chain=forward comment="accept established" connection-state=established
add chain=forward comment="accept related" connection-state=related
add chain=forward comment="rz to mgmnt-lan" dst-address=172.20.44.0/24
src-address-list=RZ
add chain=forward comment="mgmnt-lan to rz" dst-address-list=RZ src-address=
172.20.44.0/24
add action=drop chain=forward comment="mgmnt-lan 2 anywhere" src-address=
172.20.44.0/24
add action=drop chain=forward comment=eventSSID2RZ dst-address=172.16.0.0/12
src-address=192.168.10.0/24
add action=drop chain=forward comment=eventSSID2TV dst-address=192.0.0.0/8
src-address=192.168.10.0/24
add action=accept chain=forward disabled=yes src-address-list=Office
add action=accept chain=forward disabled=yes dst-address-list=Office
/ip firewall mangle
add chain=prerouting dst-address-list=RZ
add action=accept chain=prerouting disabled=yes dst-address-list=RZ
add action=mark-connection chain=prerouting comment=unfiltered_clients
connection-mark=no-mark disabled=yes dst-address-type=!local hotspot=auth
in-interface=hsia new-connection-mark=hotspotuser passthrough=yes
src-address=10.10.192.0/18
add action=mark-routing chain=prerouting comment=unfiltered connection-mark=
hotspotuser disabled=yes dst-address-type="" in-interface=hsia
new-routing-mark=hotspotuser passthrough=yes
add action=mark-routing chain=output connection-mark=hotspotuser disabled=yes
new-routing-mark=hotspotuser passthrough=yes
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment=
"place hotspot rules here" disabled=yes
add action=masquerade chain=srcnat comment="LB to WAN" out-interface=ether1
add action=masquerade chain=srcnat comment=localbreakout out-interface=ether1
add action=masquerade chain=srcnat comment=localbreakout disabled=yes
out-interface=bridge_vlan100
add action=accept chain=srcnat disabled=yes out-interface=bridge_vlan100
/ip route
add check-gateway=ping disabled=yes distance=1 gateway=10.255.244.1
routing-mark=hotspotuser
add disabled=yes distance=5 gateway=10.255.252.1 routing-mark=hotspotuser
add disabled=yes distance=1 dst-address=10.10.192.0/18 gateway=hsia
routing-mark=hotspotuser
add distance=10 gateway=ether3
add distance=20 gateway=172.16.6.1
add distance=15 dst-address=172.16.60.0/24 gateway=10.255.244.1
add comment=failback distance=20 dst-address=172.16.60.0/24 gateway=
10.255.252.1
add distance=10 dst-address=172.16.60.128/25 gateway=10.255.252.1
add check-gateway=ping comment=OpenAppTV-Server distance=1 dst-address=
172.16.60.211/32 gateway=10.255.244.1
/system ntp client
set enabled=yes primary-ntp=172.16.60.60 secondary-ntp=172.16.60.160
/system ntp server
set enabled=yes
I will agree on the network diagram…
I don´t know how I can insert Images.
Use the insert image icon… 
The question is why you want to " forward " that VLAN to the rest of your network ?
Also, VLANs work on Layer 2 and they do not traverse Routers, Layer 3 devices…
@Nuri
(use the Attachments tab, then upload direclty the images on forum, without use 3rd party servers)
My Problem is that my Router blocks the internet access from this VLAN ?
( now is better 
)
Where is the VLAN 100 eth3 connected to on your MikroTik Router ?
On a Bridge Port or on a WAN port ?
It is via a cable on ETH3.
In order to use the Bridge VLAN settings and the Bridge port pvid settings, Bridge VLAN filtering must be enabled.
Otherwise your Bridge interface is not VLAN aware…
And ofcorse before you enable it, you should read how it works otherwise there is a chance to lose connectivity with your device…
I often recommending taking a spare etherport for config purposes off the bridge to avoid loss of connectivity issues.
https://forum.mikrotik.com/viewtopic.php?t=181718
Just to be clear your ISP gives you internet from an ont/modem to ethernet 3 on the MT, but it comes in riding vlan100 as setup by the ISP.
Hi there,
no I am getting Internet for the productive on ETH1. ETH3 is connected to a VLAN which has Internet to but my Router blocks that connection to outside.
Got it, ether1 to ISP, ether3 is just a port with vlan100 on it which is allowed perhaps to other vlans but not to your internet.
That is correct. When I forward this VLAN 100 to the switches and clients they are in the correct IP range but they have no Internet connection.
As said earlier, but ignored, without Bridge VLAN filtering enabled, whatever configuration you’ ve done under /bridge interface related to VLAN settings is simply ignored.
Also, you’ve added a VLAN interface on a slave Interface https://help.mikrotik.com/docs/display/ROS/Layer2+misconfiguration#Layer2misconfiguration-VLANinterfaceonaslaveinterface
Which as you can read above can lead to some clients not getting an IP.
Overall your config has many many mistakes…
Concur, its like a hodge podge of different youtube videso will work on something better.
So its not clear what vlans go out which ports of the mT router. All I see is ether5 is connected to the MAIN switch but not which vlans actually flow into the switch,.