Advice please hardware/Wifi/Wireless/CapsMan/VLAN confusion

I have a very mixed setup of 1 main router (RB4011) and 3 APs

RB4011 - RB4011iGS+5HacQ2HnD with “wifi-qcom-ac” package with just 5Ghz wifi because of Mikrotik making 2GHz redundant!

APs

• hAP AC2 - RBD52G-5HacD2HnD-TC with “wifi-qcom-ac” package
• RB2011 - RB2011UiAS-2HnD with “wireless” package
• WAP ac - RBwAPG-5HacT2HnD with “wireless” package

“All” I want is to set up a main SSID and a Guest SSID around my house but there are so many incompatibilities between all the hardware, it is sooooo troublesome. I’ve tried Capsman, VLAn etc to no avail. It’s not just the variety; I get to a point where the hardware just says no! (“vlan not possible on this interface” etc). At the moment, the only thing that seems to actually work is a simple main SSID.

So my questions are:

• Should I chuck all the hardware out and start again?
• Are Mikrotik focusing on wifi or wireless or qcom?
• Are are they going to change it all again?
• Should I wait until they redo their CaspMan implementation

Views on these??

1- Your choice. See later.
2- wifi is using qcom drivers. Wireless is using MT own developed drivers. With arrival of AX line, MT decided to use qcom drivers. qcom-ac was also made to get wave2 compatibility for older HW having compatible chipsets.
3- Who knows ?
4- It just has been redone with wave2 ? And they created the possibility to have both capsman environments on the same device ?

Your main problem is that RB4011 and the fact you also want to use it for wifi. That’s the biggest incompatibility you have.
Load wireless on that RB4011 and use separate AP.
Then you can have both capsman controllers on that device until you have replaced all “older” (but stil perfectly functional !) HW at your own pace.

For replacements:
wap ac → wap AX
RB2011 → L009
AC2 - can be kept or AX2

Personal view:
why make it yourself so difficult with insisting on using capsman ? Even 2 capsman environments with each controlling 2 APs ?
Use your devices with the drivers they are best being used for and setup APs as standalone (but using same SSID, security,…).
You already have a mix of wireless technologies, why make it more complex ? The only way out of that situation is to replace all with similar HW.

Thank you for your good advice!

I have no great desire to use Capsman at all! If I had 50 APs then perhaps I would fight harder to use it.

What I haven’t found yet is an easy way to add a Guest network - I tried the VLAN method on this post http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1 First time it bricked the router. Second time I found the RB4011 has incompatible wifi to vlan.

Do I have to to use vlans to get the APs to have a guest wifi? It appears that I do need to do that so the APs communicate with the router over the same bridge to get to the two DHCP servers on the router.

This is all on 7.16.1

No, you do not have to use VLAN.

If you setup devices separately, you can use this approach on each.
https://tangentsoft.com/mikrotik/wiki?name=Isolated%20Guest%20WiFi%20Sans%20VLANs

But to be honest, once you get how vlans work, they make things easier.

Lets start with the main router ONLY, it will handle vlans, dhcp and its own local wifi.
Capsman will NOT be used… starts singing Celebrate good times, come on (Let’s celebrate)

Follow the guidance document as suggested → http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1
Create all the vlans you think you need throughout the entire network ( some may just be used at one AP for example )
Decide on one management vlan or TRUSTED vlan that all devices will get their LANIP address from.

Take one port off the bridge on the RB4011, give it an IP, ensure it has access.
/interface ethernet
set [ find default-name=eth8 ] name=OffBridge8
/ip address
add address=192.168.77.1/30 interface=OffBridge8 network=192.168.77.0
/interface list member
add interface=OffBridge8 list=LAN
add interface=OffBridge8 list=TRUSTED

Plug your laptop into ether8, change ipv4 settings to 192.168.77.2 and you should be in!!

The rest of your devices will be used as AP/Switch and I guess the rb2011 just as a switch.

When you have made sufficient progress on the main router post the config here for review
/export file=anynameyouwish (minus router serial number, any public WANIP information, keys etc.)

Back when I understood caps-man… It was incredibly efficient for dealing with deployments. I would use it if I had 2 radios. 10 or 15… Sure! I had systems up and running in minutes.

The poor radio performance put an end to that.

The new version of caps-man would require unlearning a lot of what I knew. But the sting of having no fix for bugs for nearly 6 years… Makes me take a big step back from going down. The rabbit hole again.

Now on the positive stuff…

At the insults of other members… I did put the new caps-man on my RB5009. I had 2 cap AC so I put them into caps mode with the new driver. They work a whole lot better now. But since VLANs are handled differently… I hit a hard stop when I tried to add a tag and everything disconnected.

Vlan and qcom-ac using capsman is … special.
With ax it is really easy.

I think I’ve done ok tonight.

I put in anav’s OffBridge suggestion and have had no dropped winbox connections - yippee

I have got 2 vlans working on the RB4011:

• A Main network with main wifi
• A Machine network

Errors & challenges

• I tried to create a Guest wifi but could not find the pvid field and when I put the vlan number in VLAN ID, I got an error message on the wifi entry saying “vlan-id configured, but interface does not support assigning vlans”
• When I tried to set the hAP ac2, I get the same error - is that because of the wifi-qcom-ac package?
• Same with the RB2011 - The Bridge Ports are set dynamically. I must be doing something wrong.
• On the wAP ac, I have to go into Advanced mode on the Wireless Tables to find VALN Mode and VLAN ID but these are not mentioned in the instructions so I’ve stopped.

Any thoughts on next steps??

Any thoughts on next steps??

Sure… Post your configs…

The guest WiFi is getting a dynamically created bridge port entry so I can’t change it’s vlan id. I can’t find a way to make it non dynamic. The bridge still has a pvid of 1.

So I wonder if it’s because I didn’t keep one of the vlans as 1.

I have typically used
192.168.64.0/24 as my main network
192.168.66.0/24 as my guest network
192.168.68.0/24 as my machine network

I don’t have a management network (apart from anav’s OffBridge concept).

So thought I’d use 64, 66, 68 respectively as my vlan tags and get rid of 1. I’m now thinking that’s a bad idea.

Should I put 192.168.64.0/24 back onto vlan 1? Will that be a better setup?

I will send the config once I’ve tidied up the firewall config. Later today.

Great, network diagram so we know the topology, and both configs…
/export file=anynameyouwish ( minus router serial number, any public WANIP information, vpn keys etc.)

Use code blocks around export ( black square with white square brackets on same line as Bold and Underline ).

I’ve not made any changes to the APs default so I’m only putting the RB4011 config here.

The APs are:

• hAP AC2 - RBD52G-5HacD2HnD-TC with “wifi-qcom-ac” package
• RB2011 - RB2011UiAS-2HnD with “wireless” package
• WAP ac - RBwAPG-5HacT2HnD with “wireless” package

The topology is the RB4011 acting as the router / internet getway. The APs will have main and guest ssid but no machine network.

• 192.168.64.0/24 as my main network - vlan 64
• 192.168.66.0/24 as my guest network - vlan 66
• 192.168.68.0/24 as my machine network - vlan 68

The Bridge still has PVID=1 and “admit all”

The firewall is still messy.

Any thoughts on the vlan set up?

# 2024-12-03 21:11:22 by RouterOS 7.16.1

#
# model = RB4011iGS+5HacQ2HnD

/interface bridge add admin-mac=C4:AD:34:60:79:47 auto-mac=no comment=bridge name=bridge protocol-mode=none vlan-filtering=yes
/interface ethernet set [ find default-name=ether2 ] comment="ether2 - OffBridge2" name=OffBridge2
/interface ethernet set [ find default-name=ether1 ] comment="ether1 - Internet" name="ether1 - Internet" rx-flow-control=auto tx-flow-control=auto
/interface ethernet set [ find default-name=ether3 ] comment="ether3 - " name="ether3 - "
/interface ethernet set [ find default-name=ether4 ] comment="ether4 - " name="ether4 - "
/interface ethernet set [ find default-name=ether5 ] comment=ether5
/interface ethernet set [ find default-name=ether6 ] comment="ether6 -  Router MK4" name="ether6 -  MK4"
/interface ethernet set [ find default-name=ether7 ] comment="ether7 - " name="ether7 - "
/interface ethernet set [ find default-name=ether8 ] comment="ether8 - " name="ether8 - DS218"
/interface ethernet set [ find default-name=ether9 ] comment="ether9 -  UpUp Router MK3" name="ether9 -  UpUp Router MK3"
/interface ethernet set [ find default-name=ether10 ] comment="ether10 - Up Router MK2" name="ether10 - Up Router MK2" poe-out=forced-on
/interface ethernet set [ find default-name=sfp-sfpplus1 ] disabled=yes
/interface wireguard add comment="Wireguard General Interface" listen-port= mtu=1420 name=WireGuard
/interface vlan add comment=vlan64 interface=bridge name=vlan64 vlan-id=64
/interface vlan add interface=bridge name=vlan66 vlan-id=66
/interface vlan add interface=bridge name=vlan68 vlan-id=68
/interface list add comment=defconf name=WAN
/interface list add comment=defconf name=LAN
/interface list add name=TRUSTED
/interface wifi security add authentication-types=wpa2-psk,wpa3-psk disabled=no name=sec_athome
/interface wifi security add authentication-types=wpa2-psk,wpa3-psk disabled=no name=sec_guest
/interface wifi set [ find default-name=wifi1 ] channel.band=5ghz-ac .skip-dfs-channels=10min-cac .width=20/40mhz-eC comment="5ghz Wifi - athome" configuration.country="United Kingdom" .manager=local .mode=ap .ssid=athome datapath.bridge=bridge disabled=no name=wifi_athome security=sec_athome
/interface wifi configuration add datapath.bridge=bridge disabled=no manager=local name=cfg_guest security=sec_guest ssid=athome_g
/interface wifi add configuration=cfg_guest configuration.mode=ap disabled=no mac-address=C6:AD:34:60:79:51 master-interface=wifi_athome name=Guest_Wifi security.ft=no .ft-preserve-vlanid=no
/ip pool add name=pool_64 ranges=192.168.64.100-192.168.64.254
/ip pool add name=pool_68 ranges=192.168.68.2-192.168.68.254
/ip pool add name=pool_66 ranges=192.168.66.2-192.168.66.254
/ip dhcp-server add address-pool=pool_64 interface=vlan64 lease-time=10m name=dhcp_vlan64
/ip dhcp-server add address-pool=pool_68 interface=vlan68 lease-time=10m name=dhcp_vlan68
/ip dhcp-server add address-pool=pool_66 interface=vlan66 lease-time=10m name=dhcp_vlan66
/port set 0 name=serial0
/port set 1 name=serial1
/disk settings set auto-media-interface=bridge auto-media-sharing=yes auto-smb-sharing=yes
/interface bridge port add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface="ether3 - " pvid=68
/interface bridge port add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface="ether4 - " pvid=68
/interface bridge port add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=ether5 pvid=64
/interface bridge port add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface="ether6 - MK4" pvid=64
/interface bridge port add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface="ether7 - " pvid=64
/interface bridge port add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface="ether8 - " pvid=64
/interface bridge port add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface="ether9 -  UpUp Router MK3" pvid=64
/interface bridge port add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface="ether10 - Up Router MK2" pvid=64
/interface bridge port add bridge=bridge comment=defconf disabled=yes interface=sfp-sfpplus1
/interface bridge port add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=wifi_athome pvid=64
/ip neighbor discovery-settings set discover-interface-list=LAN
/ipv6 settings set disable-ipv6=yes
/interface bridge vlan add bridge=bridge tagged=bridge vlan-ids=64
/interface bridge vlan add bridge=bridge tagged=bridge vlan-ids=68
/interface bridge vlan add bridge=bridge tagged=bridge untagged=Guest_Wifi vlan-ids=66
/interface list member add comment=defconf interface=bridge list=LAN
/interface list member add comment=defconf interface="ether1 - Internet" list=WAN
/interface list member add interface=WireGuard list=LAN
/interface list member add interface=vlan64 list=LAN
/interface list member add interface=OffBridge2 list=LAN
/interface list member add interface=OffBridge2 list=TRUSTED
/interface list member add interface=vlan68 list=LAN
/interface list member add interface=vlan66 list=LAN

/ip address add address=10.200.0.1/24 comment=RoadWarriors interface=WireGuard network=10.200.0.0
/ip address add address=10.100.0.1/24 comment=Mittens interface=WireGuard network=10.100.0.0
/ip address add address=10.64.0.1/24 comment=France interface=WireGuard network=10.64.0.0
/ip address add address=192.168.77.1/30 comment="Addresses on ether2 to allow free access to the Router. In case I mess up changes." interface=OffBridge2 network=192.168.77.0
/ip address add address=192.168.68.1/24 comment="Machine Network" interface=vlan68 network=192.168.68.0
/ip address add address=192.168.66.1/24 comment="Guest Network" interface=vlan66 network=192.168.66.0
/ip dhcp-client add comment=defconf interface="ether1 - Internet" use-peer-dns=no

/ip dhcp-server network add address=192.168.64.0/24 comment=network_64 dns-server=192.168.64.1 gateway=192.168.64.1
/ip dhcp-server network add address=192.168.66.0/24 comment=network_66 dns-server=192.168.64.1 gateway=192.168.66.1
/ip dhcp-server network add address=192.168.68.0/24 comment=network_68 dns-server=192.168.64.1 gateway=192.168.68.1
/ip dns set allow-remote-requests=yes servers=9.9.9.9,149.112.112.112
/ip dns static add address=192.168.64.1 comment=defconf name=router.lan type=A
/ip firewall address-list add address=192.168.64.1-192.168.64.99 list=AllowToRouter
/ip firewall address-list add address=192.168.65.1-192.168.65.99 list=AllowToRouter
/ip firewall address-list add address=10.200.0.0/24 list=AllowToRouter
/ip firewall address-list add address=192.168.77.2 list=AllowToRouter
/ip firewall address-list add address=192.168.68.0/24 list=AllowToRouter
/ip firewall filter add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
/ip firewall filter add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
/ip firewall filter add action=accept chain=input comment=Wireguard dst-port=13233 protocol=udp
/ip firewall filter add action=accept chain=input comment="defconf: accept ICMP" disabled=yes log=yes protocol=icmp
/ip firewall filter add action=accept chain=input comment="Allow interfaces on TRUSTED list to access Router" in-interface-list=TRUSTED
/ip firewall filter add action=accept chain=input comment="Allow LAN UDP - DNS (53) NTP (123)" dst-port=53,123 in-interface-list=LAN protocol=udp
/ip firewall filter add action=accept chain=input comment="Allow LAN UDP - Netbios (137) DHCP (67) MK Discovery (5678)" disabled=yes dst-port=67,137,5678 in-interface-list=LAN protocol=udp
/ip firewall filter add action=accept chain=input comment="Allow LAN TCP - DNS (53)" dst-port=53 in-interface-list=LAN protocol=tcp
/ip firewall filter add action=accept chain=input comment="defconf: Allowed to Router (HTML, SSH, Winbox)" dst-port=80,22,8291 in-interface-list=!WAN protocol=tcp src-address-list=AllowToRouter
/ip firewall filter add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
/ip firewall filter add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
/ip firewall filter add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
/ip firewall filter add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
/ip firewall filter add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall filter add action=drop chain=input comment="Drop all else & Log"
/ip firewall nat add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ip route add comment=FranceLondon disabled=no distance=1 dst-address=192.168.65.0/24 gateway=10.64.0.3 pref-src=0.0.0.0 routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/ip route add comment=FranceSFRRouter disabled=no distance=1 dst-address=192.168.1.0/24 gateway=10.64.0.3 pref-src=0.0.0.0 routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/ip route add comment="To Dongle" disabled=no distance=1 dst-address=192.168.9.0/24 gateway=10.64.0.3 pref-src=0.0.0.0 routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/ip service set telnet disabled=yes
/ip service set ftp disabled=yes
/ip service set api disabled=yes
/ip service set api-ssl disabled=yes
/ip ssh set always-allow-password-login=yes
/ipv6 firewall address-list add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
/ipv6 firewall address-list add address=::1/128 comment="defconf: lo" list=bad_ipv6
/ipv6 firewall address-list add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
/ipv6 firewall address-list add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
/ipv6 firewall address-list add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
/ipv6 firewall address-list add address=100::/64 comment="defconf: discard only " list=bad_ipv6
/ipv6 firewall address-list add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
/ipv6 firewall address-list add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
/ipv6 firewall address-list add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
/ipv6 firewall filter add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
/ipv6 firewall filter add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
/ipv6 firewall filter add action=accept chain=input comment="defconf: accept UDP traceroute" dst-port=33434-33534 protocol=udp
/ipv6 firewall filter add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
/ipv6 firewall filter add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
/ipv6 firewall filter add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
/ipv6 firewall filter add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
/ipv6 firewall filter add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
/ipv6 firewall filter add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/ipv6 firewall filter add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
/ipv6 firewall filter add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
/ipv6 firewall filter add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
/ipv6 firewall filter add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
/ipv6 firewall filter add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
/ipv6 firewall filter add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
/ipv6 firewall filter add action=accept chain=forward comment="defconf: accept HIP" protocol=139
/ipv6 firewall filter add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
/ipv6 firewall filter add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
/ipv6 firewall filter add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
/ipv6 firewall filter add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
/ipv6 firewall filter add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/system clock set time-zone-name=Europe/London
/system identity set name=RB4011
/tool mac-server set allowed-interface-list=LAN
/tool mac-server mac-winbox set allowed-interface-list=LAN

I’ve not made any changes to the APs default

If this statement is true, then your VLANs can’t work there…

Wifi interfaces are dynamically added to the bridge as ports because you are using datapath.bridge=bridge. If you are using wifi-qcom-ac package you can not use datapath configuration profile to assign VLAN. You can delete this option and add bridge port and bridge vlan manually.

I meant the otherAPs, not the RB4011. I can’t get the guest wifi to work on that. I’ll do the APs once that is working

I will try it without the datapath.bridge on the main wifi and the slave guest.

This is what I meant about the PVID being 1 on the bridge. Should I change that to 64 (the main vlan) or change all the other 64 valn ids back to 1?

This is exact reason why you shouldn’t use VLAN 1 manually. It is used as default VLAN. If there is some rough packet that doesn’t belong to any of your configured VLANs it “falls” to VLAN 1.

Meaning: this is expected and absolutely fine

I have the RB4011 Router worrking! It was the datapath.bridge. It now has a main and a guest wifi and various access ports on various vlans.

I am now stuck trying to get the RB2011 working as an AP.

I am trying to have:

• the main SSID athome on vlan 64
• the guest SSID athome_guest on vlan 66

The RB2011 AP is connected to the RB4011 Router on ether9.

I suspect I have got the following incorrect

• ether9 on the RB4011 setting incorrect - I suspect I don’t have it as a Trunk
• the Bridge VLAN entries on the RB2011 AP

It would be great if someone could help me get this last bit right.

RB2011 AP Config

# 2024-12-04 21:45:50 by RouterOS 7.16.1
# software id = 65FW-3KRA
#
# model = RB2011UiAS-2HnD

/interface bridge add admin-mac=4C:5E:0C:B8:9D:91 auto-mac=no comment=defconf name=bridgeLocal protocol-mode=none vlan-filtering=yes
/interface ethernet set [ find default-name=ether10 ] name="ether10 - OffBridge"
/interface wifi security add authentication-types=wpa2-psk,wpa3-psk disabled=no name=sec_athome
/interface wireless security-profiles set [ find default=yes ] supplicant-identity=MikroTik
/interface wireless security-profiles add authentication-types=wpa2-psk mode=dynamic-keys name=sec_athome supplicant-identity=""
/interface wireless security-profiles add authentication-types=wpa2-psk mode=dynamic-keys name=sec_athome_guest supplicant-identity=""
/interface wireless set [ find default-name=wlan1 ] band=2ghz-onlyn country="united kingdom" disabled=no frequency=auto installation=indoor mode=ap-bridge security-profile=sec_athome ssid=athome5 wps-mode=disabled
/interface wireless add disabled=no keepalive-frames=disabled mac-address=4E:5E:0C:B8:9D:9B master-interface=wlan1 multicast-buffering=disabled name=wlan2 security-profile=sec_athome_guest ssid=athome_guest2 wds-cost-range=0 wds-default-cost=1 wps-mode=disabled
/port set 0 name=serial0
/interface bridge port add bridge=bridgeLocal comment=defconf interface=ether1
/interface bridge port add bridge=bridgeLocal comment=defconf interface=ether2 pvid=64
/interface bridge port add bridge=bridgeLocal comment=defconf interface=ether3 pvid=64
/interface bridge port add bridge=bridgeLocal comment=defconf interface=ether4 pvid=64
/interface bridge port add bridge=bridgeLocal comment=defconf interface=ether5 pvid=64
/interface bridge port add bridge=bridgeLocal comment=defconf interface=ether6 pvid=64
/interface bridge port add bridge=bridgeLocal comment=defconf interface=ether7 pvid=64
/interface bridge port add bridge=bridgeLocal comment=defconf interface=ether8 pvid=64
/interface bridge port add bridge=bridgeLocal comment=defconf interface=ether9 pvid=64
/interface bridge port add bridge=bridgeLocal comment=defconf disabled=yes interface=sfp1
/interface bridge port add bridge=bridgeLocal interface=wlan1 pvid=64
/interface bridge port add bridge=bridgeLocal interface=wlan2 pvid=66
/interface bridge vlan add bridge=bridgeLocal tagged=ether1,bridgeLocal vlan-ids=64
/interface bridge vlan add bridge=bridgeLocal tagged=ether1 vlan-ids=66
/interface wifi cap set discovery-interfaces=bridgeLocal
/interface wireless access-list add comment=Breeze interface=wlan1 mac-address=74:38:B7:0C:AF:1B vlan-mode=no-tag
/interface wireless access-list add comment=PingPi2 interface=wlan1 mac-address=B8:27:EB:20:F7:7E vlan-mode=no-tag
/interface wireless access-list add comment=Pixel-9 interface=wlan1 mac-address=C0:1C:6A:70:FE:1F vlan-mode=no-tag
/interface wireless cap set bridge=bridgeLocal discovery-interfaces=bridgeLocal interfaces=wlan1
/ip address add address=192.168.78.1/30 interface="ether10 - OffBridge" network=192.168.78.0
/ip dhcp-client add comment=defconf interface=bridgeLocal
/lcd interface pages set 0 interfaces="sfp1,ether1,ether2,ether3,ether4,ether5,ether6,ether7,ether8,ether9,ether10 - OffBridge"
/system clock set time-zone-name=Europe/London
/system identity set name="RB2011 64.3"
/system note set show-at-login=no

RB4011 Router Config

# 2024-12-04 22:06:18 by RouterOS 7.16.1
# software id = YCNI-BQ6N
#
# model = RB4011iGS+5HacQ2HnD

/interface bridge add admin-mac=C4:AD:34:60:79:47 auto-mac=no comment=bridge name=bridge protocol-mode=none vlan-filtering=yes
/interface ethernet set [ find default-name=ether1 ] comment="ether1 - Internet" name="ether1 - Internet" rx-flow-control=auto tx-flow-control=auto
/interface ethernet set [ find default-name=ether2 ] comment="ether2 - OffBridge2" name="ether2 - OffBridge2"
/interface ethernet set [ find default-name=ether3 ] comment="ether3 " name="ether3 "
/interface ethernet set [ find default-name=ether4 ] comment="ether4 " name="ether4"
/interface ethernet set [ find default-name=ether5 ] comment=ether5
/interface ethernet set [ find default-name=ether6 ] comment="ether6 " name="ether6"
/interface ethernet set [ find default-name=ether7 ] comment="ether7 " name="ether7"
/interface ethernet set [ find default-name=ether8 ] comment="ether8" name="ether8"
/interface ethernet set [ find default-name=ether9 ] comment="ether9 -  UpUp Router MK3" name="ether9 -  UpUp Router MK3"
/interface ethernet set [ find default-name=ether10 ] comment="ether1 " name="ether10" poe-out=forced-on
/interface ethernet set [ find default-name=sfp-sfpplus1 ] disabled=yes
/interface wireguard add comment="Wireguard General Interface" listen-port= mtu=1420 name=WireGuard
/interface vlan add comment=vlan64 interface=bridge name=vlan64 vlan-id=64
/interface vlan add interface=bridge name=vlan66 vlan-id=66
/interface vlan add interface=bridge name=vlan68 vlan-id=68
/interface list add comment=defconf name=WAN
/interface list add comment=defconf name=LAN
/interface list add name=TRUSTED
/interface list add name=MAIN
/interface wifi security add authentication-types=wpa2-psk,wpa3-psk disabled=no name=sec_athome
/interface wifi security add authentication-types=wpa2-psk,wpa3-psk disabled=no name=sec_guest
/interface wifi set [ find default-name=wifi1 ] channel.band=5ghz-ac .skip-dfs-channels=10min-cac .width=20/40mhz-eC comment="5ghz Wifi - athome" configuration.country="United Kingdom" .manager=local .mode=ap .ssid=athome disabled=no name=wifi_athome security=sec_athome
/interface wifi add configuration.mode=ap .ssid=athome_guest disabled=no mac-address=C6:AD:34:60:79:51 master-interface=wifi_athome name=Guest_Wifi security=sec_guest security.authentication-types="" .ft=no .ft-preserve-vlanid=no
/interface wifi configuration add disabled=no manager=local name=cfg_guest security=sec_guest ssid=athome_g
/ip pool add name=pool_64 ranges=192.168.64.100-192.168.64.254
/ip pool add name=pool_68 ranges=192.168.68.2-192.168.68.254
/ip pool add name=pool_66 ranges=192.168.66.2-192.168.66.254
/ip dhcp-server add address-pool=pool_64 interface=vlan64 lease-time=10m name=dhcp_vlan64
/ip dhcp-server add address-pool=pool_68 interface=vlan68 lease-time=10m name=dhcp_vlan68
/ip dhcp-server add address-pool=pool_66 interface=vlan66 lease-time=10m name=dhcp_vlan66
/port set 0 name=serial0
/port set 1 name=serial1
/disk settings set auto-media-interface=bridge auto-media-sharing=yes auto-smb-sharing=yes
/interface bridge port add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface="ether3 - Cat Flap" pvid=68
/interface bridge port add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface="ether4 - Alarm" pvid=68
/interface bridge port add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=ether5 pvid=64
/interface bridge port add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface="ether6 - Sitting Room Router MK4" pvid=64
/interface bridge port add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface="ether7 - Front Room" pvid=64
/interface bridge port add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface="ether8 - DS218" pvid=64
/interface bridge port add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface="ether9 -  UpUp Router MK3" pvid=64
/interface bridge port add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface="ether10 - Up Router MK2" pvid=64
/interface bridge port add bridge=bridge comment=defconf disabled=yes interface=sfp-sfpplus1
/interface bridge port add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=wifi_athome pvid=64
/interface bridge port add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=Guest_Wifi pvid=66
/ip neighbor discovery-settings set discover-interface-list=LAN
/ipv6 settings set disable-ipv6=yes
/interface bridge vlan add bridge=bridge tagged=bridge vlan-ids=64
/interface bridge vlan add bridge=bridge tagged=bridge vlan-ids=68
/interface bridge vlan add bridge=bridge tagged=bridge untagged=Guest_Wifi vlan-ids=66
/interface list member add comment=defconf interface=bridge list=LAN
/interface list member add comment=defconf interface="ether1 - Internet" list=WAN
/interface list member add interface=WireGuard list=LAN
/interface list member add interface=vlan64 list=LAN
/interface list member add interface="ether2 - OffBridge2" list=LAN
/interface list member add interface="ether2 - OffBridge2" list=TRUSTED
/interface list member add interface=vlan68 list=LAN
/interface list member add interface=vlan66 list=LAN
/interface list member add interface=WireGuard list=MAIN
/interface list member add interface=vlan64 list=MAIN
/interface list member add interface="ether2 - OffBridge2" list=MAIN
ip address add address=192.168.64.1/24 comment="Main Network" interface=vlan64 network=192.168.64.0
/ip address add address=10.200.0.1/24 comment=RoadWarriors interface=WireGuard network=10.200.0.0
/ip address add address=10.100.0.1/24 comment=Mittens interface=WireGuard network=10.100.0.0
/ip address add address=10.64.0.1/24 comment=France interface=WireGuard network=10.64.0.0
/ip address add address=192.168.77.1/30 comment="Addresses on ether2 to allow free access to the Router. In case I mess up changes." interface="ether2 - OffBridge2" network=192.168.77.0
/ip address add address=192.168.68.1/24 comment="Machine Network" interface=vlan68 network=192.168.68.0
/ip address add address=192.168.66.1/24 comment="Guest Network" interface=vlan66 network=192.168.66.0
/ip dhcp-client add comment=defconf interface="ether1 - Internet" use-peer-dns=no

/ip dhcp-server network add address=192.168.64.0/24 comment=network_64 dns-server=192.168.64.1 gateway=192.168.64.1
/ip dhcp-server network add address=192.168.66.0/24 comment=network_66 dns-server=192.168.64.1 gateway=192.168.66.1
/ip dhcp-server network add address=192.168.68.0/24 comment=network_68 dns-server=192.168.64.1 gateway=192.168.68.1
/ip dns set allow-remote-requests=yes servers=9.9.9.9,149.112.112.112
/ip dns static add address=192.168.64.1 comment=defconf name=router.lan type=A
/ip firewall address-list add address=192.168.64.1-192.168.64.99 list=AllowToRouter
/ip firewall address-list add address=192.168.65.1-192.168.65.99 list=AllowToRouter
/ip firewall address-list add address=10.200.0.0/24 list=AllowToRouter
/ip firewall address-list add address=192.168.77.2 list=AllowToRouter
/ip firewall address-list add address=192.168.68.0/24 list=AllowToRouter
/ip firewall address-list add address=192.168.64.86 comment="Road Camera" list=Cameras
/ip firewall address-list add address=192.168.64.105 comment="Doorbell Camera" list=Cameras
/ip firewall filter add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
/ip firewall filter add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
/ip firewall filter add action=accept chain=input comment=Wireguard dst-port=13233 protocol=udp
/ip firewall filter add action=accept chain=input comment="defconf: accept ICMP" disabled=yes log=yes protocol=icmp
/ip firewall filter add action=accept chain=input comment="Allow interfaces on TRUSTED list to access Router" in-interface-list=TRUSTED
/ip firewall filter add action=accept chain=input comment="Allow LAN UDP - DNS (53) NTP (123)" dst-port=53,123 in-interface-list=LAN protocol=udp
/ip firewall filter add action=accept chain=input comment="Allow LAN UDP - Netbios (137) DHCP (67) MK Discovery (5678)" disabled=yes dst-port=67,137,5678 in-interface-list=LAN protocol=udp
/ip firewall filter add action=accept chain=input comment="Allow LAN TCP - DNS (53)" dst-port=53 in-interface-list=LAN protocol=tcp
/ip firewall filter add action=accept chain=input comment="defconf: Allowed to Router (HTML, SSH, Winbox)" dst-port=80,22,8291 in-interface-list=!WAN protocol=tcp src-address-list=AllowToRouter
/ip firewall filter add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
/ip firewall filter add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
/ip firewall filter add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
/ip firewall filter add action=accept chain=forward comment="New from Trusted Main network to internet" connection-state=new in-interface-list=MAIN out-interface-list=WAN
/ip firewall filter add action=accept chain=forward comment="New from Trusted Main network to internal places" connection-state=new in-interface-list=MAIN out-interface-list=MAIN
/ip firewall filter add action=accept chain=forward comment="Guests can only get to the internet" connection-state=new in-interface=vlan66 out-interface-list=WAN
/ip firewall filter add action=accept chain=forward connection-state=new in-interface=vlan68 out-interface-list=WAN
/ip firewall filter add action=accept chain=forward comment="new Allow Cameras to get to DS218" connection-state=new dst-address=192.168.64.6 src-address-list=Cameras
/ip firewall filter add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
/ip firewall filter add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall filter add action=drop chain=input comment="Drop all else & Log"
/ip firewall filter add action=drop chain=forward log=yes log-prefix="Last Fwd:"
/ip firewall nat add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ip route add comment=FranceLondon disabled=no distance=1 dst-address=192.168.65.0/24 gateway=10.64.0.3 pref-src=0.0.0.0 routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/ip route add comment=FranceSFRRouter disabled=no distance=1 dst-address=192.168.1.0/24 gateway=10.64.0.3 pref-src=0.0.0.0 routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/ip route add comment="To SFR Dongle" disabled=no distance=1 dst-address=192.168.9.0/24 gateway=10.64.0.3 pref-src=0.0.0.0 routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/ip service set telnet disabled=yes
/ip service set ftp disabled=yes
/ip service set api disabled=yes
/ip service set api-ssl disabled=yes
/ip ssh set always-allow-password-login=yes
/ipv6 firewall address-list add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
/ipv6 firewall address-list add address=::1/128 comment="defconf: lo" list=bad_ipv6
/ipv6 firewall address-list add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
/ipv6 firewall address-list add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
/ipv6 firewall address-list add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
/ipv6 firewall address-list add address=100::/64 comment="defconf: discard only " list=bad_ipv6
/ipv6 firewall address-list add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
/ipv6 firewall address-list add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
/ipv6 firewall address-list add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
/ipv6 firewall filter add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
/ipv6 firewall filter add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
/ipv6 firewall filter add action=accept chain=input comment="defconf: accept UDP traceroute" dst-port=33434-33534 protocol=udp
/ipv6 firewall filter add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
/ipv6 firewall filter add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
/ipv6 firewall filter add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
/ipv6 firewall filter add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
/ipv6 firewall filter add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
/ipv6 firewall filter add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/ipv6 firewall filter add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
/ipv6 firewall filter add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
/ipv6 firewall filter add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
/ipv6 firewall filter add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
/ipv6 firewall filter add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
/ipv6 firewall filter add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
/ipv6 firewall filter add action=accept chain=forward comment="defconf: accept HIP" protocol=139
/ipv6 firewall filter add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
/ipv6 firewall filter add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
/ipv6 firewall filter add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
/ipv6 firewall filter add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
/ipv6 firewall filter add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/system clock set time-zone-name=Europe/London
/system identity set name=RB4011

/tool mac-server set allowed-interface-list=LAN
/tool mac-server mac-winbox set allowed-interface-list=LAN

4011
/interface bridge port add bridge=bridge comment=defconf frame-types=admit-only-vlan-tagged interface=“ether9 - UpUp Router MK3” pvid=64

/interface bridge vlan add bridge=bridge tagged=bridge**,ether9** untagged=wifi_athome vlan-ids=64
/interface bridge vlan add bridge=bridge tagged=bridge**,ether9** vlan-ids=68
/interface bridge vlan add bridge=bridge tagged=bridge**,ether9** untagged=Guest_Wifi vlan-ids=66

2011
/interface vlan add comment=vlan64 interface=bridgeLocal name=vlan64 vlan-id=64

/ip dhcp-client add comment=defconf interface=vlan64

neki is bang on. it you wanted to give the 2011 a fixed IP address, then simply use IP address with interface vlan64 and not use IP DHCP client.

Assuming Ether1 is the trunk port, and dont setup ports for people to access if not desired ( for example lets say only ether2 is used for home !
Also on switch only need to define trusted or management vlan and only tag bridge for this vlanid.
…
/interface ethernet
set [ find default-name=ether10] name=“ether10 - OffBridge”
/interface vlan
add interface=bridgeLocal name=vlan64 vlan-id=64
/interface list
add name=TRUSTED
/interface list member
add interface=vlan64 list=TRUSTED
add interface=“ether10 - OffBridge” list=TRUSTED
/interface bridge port
add bridge=bridgeLocal ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=ether1 comment=“trunk to RB4011”
add bridge=bridgeLocal ingress-filtering=yes frame-types=admit-only-priority-and-untagged interface=ether2 pvid=64
add bridge=bridgeLocal ingress-filtering=yes frame-types=admit-only-priority-and-untagged interface=wlan1 pvid=64
add bridge=bridgeLocal ingress-filtering=yes frame-types=admit-only-priority-and-untagged interface=wlan2 pvid=66
/interface bridge vlan
add bridge=bridgeLocal tagged=ether1,bridgeLocal untagged=ether2,wlan1 vlan-ids=64
add bridge=bridgeLocal tagged=ether1 untagged=wlan2 vlan-ids=66
/ip neighbor discovery-settings
set discover-interface-list=TRUSTED
/ip dns
set servers=192.168.64.1
/ip route
add dst-address=0.0.0.0/0 gateway=192.168.64.1
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=TRUSTED