Basic VLAN setup

sysroot · April 29, 2025, 6:59pm

Hi,
I am a bit new to mikrotik and especially to VLANs. I already read a few topic about mikrotik vlans but i am sill struggling..

I would like to install some IP cameras but due to their nature I would like to isolate them from the internet, and from devices on the network. Obviously except for the nvr.
My setup would look like this:
ether1: WAN
ether2: a default lan where all my trusted devices go, via a simple plain old switch pc, phone etc. [access to ether3, internet, access to the default lan]
ether3: dedicated port for an nvr [VLAN200: access to ether4, internet, access to the default lan]
ether4: cameras would go here also via a switch [VLAN100: access to ether3, no internet, optional but would be great: no access to the default lan]
ether5: connection to a another mikrotik functioning as a cap for wifi extension, also should be part of the default lan [access to ether3, internet, access to the default lan]

I have managed to setup the VLANs, but my problem is that I can not communicate between them, I can ping each vlans own gateway but can not ping any other device, gateway located on different vlan.

My question would be: how could I achieve inter VLAN communication, but with restrictions…

Also a another question do I need 3 vlans or it is achievable with only 2? (one for the nvr, one for the cameras)

Thanks!

Here is my config: (sorry it is not pretty i have been trying all sorts of things without luck..)

# 1970-01-02 03:48:57 by RouterOS 7.15.1
# 
#
# model = RB951Ui-2HnD

/interface bridge
add ageing-time=10s name=bridge1 vlan-filtering=yes
/interface wireless
set [ find default-name=wlan1 ] ssid=MikroTik
/interface pppoe-client
add add-default-route=yes interface=ether1 name=pppoe-out1 use-peer-dns=yes
/interface vlan
add interface=bridge1 name=vlan1 vlan-id=10
add interface=bridge1 name=vlan100_Iso vlan-id=100
add interface=bridge1 name=vlan200_Control vlan-id=200
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=pool3 ranges=192.168.88.2-192.168.88.254
add name=pool_VLAN100 ranges=192.168.100.10-192.168.100.200
add name=pool_VLAN200 ranges=192.168.200.10-192.168.200.200
/ip dhcp-server
add address-pool=pool3 interface=vlan1 name=dhcp1
add address-pool=pool_VLAN100 interface=vlan100_Iso name=dhcp_VLAN100
add address-pool=pool_VLAN200 interface=vlan200_Control name=dhcp_VLAN200
/interface bridge port
add bridge=bridge1 interface=ether2 pvid=10
add bridge=bridge1 interface=ether3 pvid=200
add bridge=bridge1 interface=ether4 pvid=100
add bridge=bridge1 interface=ether5 pvid=10
/interface bridge settings
set use-ip-firewall=yes
/interface bridge vlan
add bridge=bridge1 tagged=bridge1 untagged=ether3 vlan-ids=200
add bridge=bridge1 tagged=bridge1 untagged=ether4 vlan-ids=100
add bridge=bridge1 tagged=bridge1 untagged=ether2,ether5 vlan-ids=10
/ip address
add address=192.168.88.1/24 comment="Normal LAN" interface=vlan1 network=\
    192.168.88.0
add address=192.168.100.1/24 comment="Isolated VLAN100 " interface=vlan100_Iso \
    network=192.168.100.0
add address=192.168.200.1/24 comment="VLAN200 " interface=vlan200_Control \
    network=192.168.200.0
/ip dhcp-server network
add address=192.168.88.0/24 dns-server=1.1.1.1,8.8.8.8 gateway=192.168.88.1
add address=192.168.100.0/24 dns-none=yes gateway=192.168.100.1
add address=192.168.200.0/24 dns-server=1.1.1.1,8.8.8.8 gateway=192.168.200.1
/ip dns
set allow-remote-requests=yes
/ip firewall filter
add action=accept chain=input comment="accept established,related,untracked" \
    connection-state=established,related,untracked
add action=drop chain=input comment="drop invalid" connection-state=invalid
# pppoe-out1 not ready
add action=accept chain=input comment="accept ICMP" in-interface=pppoe-out1 \
    limit=5,10:packet protocol=icmp
# pppoe-out1 not ready
add action=drop chain=input comment="block everything else" in-interface=\
    pppoe-out1
add action=fasttrack-connection chain=forward comment=\
    "fast-track for established,related" connection-state=established,related \
    hw-offload=yes
add action=accept chain=forward comment="accept established,related" \
    connection-state=established,related
add action=drop chain=forward connection-state=invalid
# pppoe-out1 not ready
add action=drop chain=forward comment=\
    "drop access to clients behind NAT from WAN" connection-nat-state=!dstnat \
    connection-state=new in-interface=pppoe-out1
add action=accept chain=forward comment="Control -> Isolated" in-interface=\
    vlan200_Control out-interface=vlan100_Iso
add action=accept chain=forward in-interface=vlan100_Iso out-interface=\
    vlan200_Control
add action=drop chain=forward comment="Drop all except Isolated -> Control" \
    disabled=yes in-interface=vlan100_Iso out-interface=!vlan200_Control
add action=drop chain=forward comment="Block Dial Out for Isolated" disabled=\
    yes in-interface=vlan100_Iso out-interface=pppoe-out1
/ip firewall nat
# no interface
add action=masquerade chain=srcnat out-interface=pppoe-out1
/system note
set show-at-login=no
/system ntp server
set broadcast=yes enabled=yes manycast=yes multicast=yes

anav · April 29, 2025, 8:24pm

Provide a diagram and a clearer description of the requirements

Does the NVR need to be on the same subnet as the cameras?
One can access the NVR by IP address and not have to be in the same LAN (advised for security reasons).

So neither cameras nor NVR need access to the internet??

Wifi will have how many wlans ( home, guest, Iot Devices )

anav · April 29, 2025, 8:24pm

The bible on setting up vlans: http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1

sysroot · April 30, 2025, 8:57pm

Hi, anav!
Thanks for your help so far! I have read topic 143620, truly a bible on VLANs I have tried experimenting with the firewall rules described there for inter VLAN comms. But no luck…
Anyway to answer your questions:
No the NVR does not need to be on the same subnet, as the cameras.

What I basically want to achieve is: isolate the cameras completely from everything except the NVR.

So in detail:
Allow the NVR to:

Access the cameras.
Access the internet .

Block cameras from:

Accessing the internet.
Accessing any other VLAN or device except the NVR.

Keep my regular LAN (ether2, ether5, WiFi) isolated from the cameras.

All LAN clients (ether2, ether5, and WiFi) should:

Have full internet access.

I will only use one SSID, no guest network or anything; it should be part of the default/trusted LAN (same as ether2 and ether5).

VLANs used:

VLAN 1: Default LAN – ether2, ether5, WiFi.
VLAN 100: Cameras – ether4.
VLAN 200: NVR – ether3.

Port layout (see diagramm):

ether1: WAN
ether2: Trusted LAN devices (PCs, etc.)
ether3: NVR
ether4: Cameras (direct or via switch)
ether5: CAP connection
WiFi: Same as default LAN

Hope this clears up, what i would like to do…

                          +-----------------------------------+
                          |      MikroTik        	      |-----[VLAN1 - WiFi]
                          |       (Main)         	      |
                          |-----------------------------------|
                          | eth1 | eth2 | eth3 | eth4 | eth5  |
                          +------+------+------+------+-------+
                             |     |       |      |     |
                             |     |       |      |     +--> [ VLAN1 - CAP]
                             |     |       |      |
                             |     |       |      +--> [VLAN100 - Cameras]
                             |     |       +--> [VLAN200 - NVR]
                             |     +--> [VLAN1 - LAN devices]
                             |
		           [WAN]

anav · May 1, 2025, 10:12am

Okay, nice explanation!!
From my reading its probably best to have the NVR and the cameras on the same subnet but this is still possible and keep all your requirements.
Just a bit of finessing on the firewall rules. Not sure why you have an ageing time set on the bridge, first time Ive seen that so removing it for now.
To be consistent I renamed vlan1 to vlan10 since vlan1 is the default vlan on the device (aka on the bridge) and thus clearer for anyone looking at the config.
Do not use ip firewall bridge, its an advanced usage setting and not needed in most basic configs. Regular firewall covers most needs. ( removed )

Extra work on dns rules and access to internet rules to allow nvr to internet. No need for vlan200, cameras and nvr on vlan100

…

/interface bridge
add name=bridge1 vlan-filtering=yes  { when the config is up and working add  frame-types=admit-only-vlan-tagged }
/interface wireless
set [ find default-name=wlan1 ] ssid=MikroTik
/interface pppoe-client
add add-default-route=yes interface=ether1 name=pppoe-out1 use-peer-dns=yes
/interface vlan
add interface=bridge1 name=vlan10 vlan-id=10
add interface=bridge1 name=vlan100_Iso vlan-id=100
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=pool3 ranges=192.168.88.2-192.168.88.254
add name=pool_VLAN100 ranges=192.168.100.10-192.168.100.200
/ip dhcp-server
add address-pool=pool3 interface=vlan10 name=dhcp1
add address-pool=pool_VLAN100 interface=vlan100_Iso name=dhcp_VLAN100
/interface bridge port
add bridge=bridge1 ingress-filtering=yes frame-types=admit-priority-and-untagged interface=ether2 pvid=10
add bridge=bridge1 ingress-filtering=yes frame-types=admit-priority-and-untagged interface=ether3 pvid=100
add bridge=bridge1 ingress-filtering=yes frame-types=admit-priority-and-untagged interface=ether4 pvid=100
add bridge=bridge1 ingress-filtering=yes frame-types=admit-priority-and-untagged interface=ether5 pvid=10
/interface bridge vlan
add bridge=bridge1 tagged=bridge1 untagged=ether3,ether4 vlan-ids=100
add bridge=bridge1 tagged=bridge1 untagged=ether2,ether5 vlan-ids=10
/ip address
add address=192.168.88.1/24 comment="Normal LAN" interface=vlan10 network=\
    192.168.88.0
add address=192.168.100.1/24 comment="Isolated VLAN100 " interface=vlan100_Iso \
    network=192.168.100.0
/ip dhcp-server network
add address=192.168.88.0/24 dns-server=1.1.1.1,8.8.8.8 gateway=192.168.88.1
add address=192.168.100.0/24 dns-server=192.168.100.1   gateway=192.168.100.1
/ip dns
set allow-remote-requests=yes
/ip firewall filter
add action=accept chain=input connection-state=established,related,untracked
add action=drop chain=input  connection-state=invalid
add action=accept chain=input protocol=icmp
add action=accept chain=input comment="trusted admin access"  in-interface=vlan10
add action=accept chain=input comment="nvr to dns"  in-interface=vlan100 src-address=nvr-LAN-IP  dst-port=53 protocol=udp
add action=accept chain=input comment="nvr to dns"  in-interface=vlan100 src-address=nvr-LAN-IP  dst-port=53 protocol=tcp
add action=drop chain=input comment="drop all else"   { insert this rule here, but last of all rules }
++++++++++++++++++++++++++++++++++++++++++++
add action=fasttrack-connection chain=forward connection-state=established,related 
add action=accept chain=forward  connection-state=established,related
add action=drop chain=forward connection-state=invalid
add action=accept chain=forward comment="internet access" in-interface=vlan10 out-interface=pppoe-out1
add action=accept chain=forward comment="nvr access" in-interface=vlan100 src-address=nvr-LAN-IP  out-interface=pppoe-out1
add action=drop chain=forward comment="drop all else"
/ip firewall nat
add action=masquerade chain=srcnat out-interface=pppoe-out

++++++++++++++++++++++++++++++++++++

Now if your cameras are not picky and can access the nvr over a different subnet then

/interface bridge
add  name=bridge1 vlan-filtering=yes
/interface wireless
set [ find default-name=wlan1 ] ssid=MikroTik
/interface pppoe-client
add add-default-route=yes interface=ether1 name=pppoe-out1 use-peer-dns=yes
/interface vlan
add interface=bridge1 name=vlan10 vlan-id=10
add interface=bridge1 name=vlan100_Iso vlan-id=100
add interface=bridge1 name=vlan200_Control vlan-id=200
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=pool3 ranges=192.168.88.2-192.168.88.254
add name=pool_VLAN100 ranges=192.168.100.10-192.168.100.200
add name=pool_VLAN200 ranges=192.168.200.10-192.168.200.200
/ip dhcp-server
add address-pool=pool3 interface=vlan10 name=dhcp1
add address-pool=pool_VLAN100 interface=vlan100_Iso name=dhcp_VLAN100
add address-pool=pool_VLAN200 interface=vlan200_Control name=dhcp_VLAN200
/interface bridge port
add bridge=bridge1 ingress-filtering=yes frame-types=admit-priority-and-untagged interface=ether2 pvid=10
add bridge=bridge1 ingress-filtering=yes frame-types=admit-priority-and-untagged interface=ether3 pvid=200
add bridge=bridge1 ingress-filtering=yes frame-types=admit-priority-and-untagged interface=ether4 pvid=100
add bridge=bridge1 ingress-filtering=yes frame-types=admit-priority-and-untagged interface=ether5 pvid=10
/interface bridge vlan
add bridge=bridge1 tagged=bridge1 untagged=ether3 vlan-ids=200
add bridge=bridge1 tagged=bridge1 untagged=ether4 vlan-ids=100
add bridge=bridge1 tagged=bridge1 untagged=ether2,ether5 vlan-ids=10
/ip address
add address=192.168.88.1/24 comment="Normal LAN" interface=vlan10 network=\
    192.168.88.0
add address=192.168.100.1/24 comment="Isolated VLAN100 " interface=vlan100_Iso \
    network=192.168.100.0
add address=192.168.200.1/24 comment="VLAN200 " interface=vlan200_Control \
    network=192.168.200.0
/ip dhcp-server network
add address=192.168.88.0/24 dns-server=1.1.1.1,8.8.8.8 gateway=192.168.88.1
add address=192.168.100.0/24 dns-none=yes gateway=192.168.100.1
add address=192.168.200.0/24 dns-server=1.1.1.1,8.8.8.8 gateway=192.168.200.1
/ip dns
set allow-remote-requests=yes
/ip firewall filter
add action=accept chain=input connection-state=established,related,untracked
add action=drop chain=input  connection-state=invalid
add action=accept chain=input protocol=icmp
add action=accept chain=input comment="trusted admin access"  in-interface=vlan10
add action=accept chain=input comment="nvr to dns"  in-interface=vlan200  dst-port=53 protocol=udp
add action=accept chain=input comment="nvr to dns"  in-interface=vlan200  dst-port=53 protocol=tcp
add action=drop chain=input comment="drop all else"   { insert this rule here, but last of all rules }
++++++++++++++++++++++++++++++++++++++++++++
add action=fasttrack-connection chain=forward connection-state=established,related 
add action=accept chain=forward  connection-state=established,related
add action=drop chain=forward connection-state=invalid
add action=accept chain=forward comment="internet access" in-interface=vlan10 out-interface=pppoe-out1
add action=accept chain=forward comment="nvr access" in-interface=vlan200 out-interface=pppoe-out1
add action=accept chain=forward comment="nvr to cameras"  in-interface-vlan200 out-interface=vlan100
add action=accept chain=forward comment="cameras to nvr"  in-interface-vlan100 out-interface=vlan200
add action=drop chain=forward comment="drop all else"
/ip firewall nat
add action=masquerade chain=srcnat out-interface=pppoe-out1

sysroot · May 2, 2025, 11:39am

Okay, nice explanation!!
From my reading its probably best to have the NVR and the cameras on the same subnet but this is still possible and keep all your requirements.
Just a bit of finessing on the firewall rules. Not sure why you have an ageing time set on the bridge, first time Ive seen that so removing it for now.
To be consistent I renamed vlan1 to vlan10 since vlan1 is the default vlan on the device (aka on the bridge) and thus clearer for anyone looking at the config.
Do not use ip firewall bridge, its an advanced usage setting and not needed in most basic configs. Regular firewall covers most needs. ( removed )

Hi, anav!

Thank you for the explanation and for the detailed config(s) I really appreciate it! Its nice to see that I was kinda on the right path.
Based on the second one I reset my router and remade my config. (see below)

It worked great, however after a reboot it just stopped working. Just like my original config.
My networking knowledge is far too inadequate to explain in proper terms (coming from an iot/programming background), but basically: I cant seem to communicate to the “outside” from a VLAN
eg: On VLAN200 I can ping its gateway (192.168.200.1) but can not ping VLAN100’s gateway (192.168.100.1) despite firewall rules enabling it. It does not matter if I try it from physical devices, or from the router terminal…

On physical devices I get a simple “timeout”, while on the router i get a “192.168.200.1 host unreachable” every 4th ping. This is strange because if I ping 192.168.200.1 from the same interface it works.
I dont really understand this because, in my mind, VLAN gateways should communicate with each other on the same router, if the firewall allows it. What really annoys me, is the fact, that it did work when I configured it, but after a reboot it does not. Could you please take a look what I messed up?
++++++++++++++++++++++++

[admin@MikroTik] > ping 192.168.88.1
  SEQ HOST                                     SIZE TTL TIME       STATUS                  
    0 192.168.88.1                                56  64 380us     
    1 192.168.88.1                                56  64 359us     
    sent=2 received=2 packet-loss=0% min-rtt=359us avg-rtt=369us max-rtt=380us 
[admin@MikroTik] > ping 192.168.200.1    
  SEQ HOST                                     SIZE TTL TIME       STATUS                  
    0 192.168.200.1                              56  64 375us     
    1 192.168.200.1                              56  64 370us     
    sent=2 received=2 packet-loss=0% min-rtt=370us avg-rtt=372us max-rtt=375us 
[admin@MikroTik] > ping 192.168.100.1 
  SEQ HOST                                     SIZE TTL TIME       STATUS                  
    0 192.168.100.1                              56  64 385us     
    1 192.168.100.1                              56  64 373us     
    sent=2 received=2 packet-loss=0% min-rtt=373us avg-rtt=379us max-rtt=385us 
    
[admin@MikroTik] > ping 192.168.100.1 interface=vlan200_Control 
  SEQ HOST                                     SIZE TTL TIME       STATUS                  
    0 192.168.100.1                                                timeout                 
    1 192.168.100.1                                                timeout                 
    2 192.168.100.1                                                timeout                 
    3 192.168.200.1                              84  64 147ms48us  host unreachable        
    4 192.168.100.1                                                timeout                 
    5 192.168.100.1                                                timeout                 
    6 192.168.100.1                                                timeout                 
    7 192.168.200.1                              84  64 131ms108us host unreachable        
    sent=8 received=0 packet-loss=100% 
    
    [admin@MikroTik] > ping 192.168.200.1 interface=vlan200_Control 
  SEQ HOST                                     SIZE TTL TIME       STATUS        
    0 192.168.200.1                              56  64 383us     
    1 192.168.200.1                              56  64 364us     
    sent=2 received=2 packet-loss=0% min-rtt=364us avg-rtt=373us max-rtt=383us

+++++++++++++++++++++++++++++++

here is my current config (ingress filtering does not show up in the config it is definitely on, probably a GUI only flag?):

+++++++++++++++++++++++++++++++

/interface bridge
add frame-types=admit-only-vlan-tagged name=bridge1 vlan-filtering=yes
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-onlyn country=austria mode=ap-bridge ssid=\
    MikroTik
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 use-peer-dns=yes
/interface vlan
add interface=bridge1 name=vlan10 vlan-id=10
add interface=bridge1 name=vlan100_Iso vlan-id=100
add interface=bridge1 name=vlan200_Control vlan-id=200
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=pool3 ranges=192.168.88.2-192.168.88.254
add name=pool_VLAN100 ranges=192.168.100.10-192.168.100.200
add name=pool_VLAN200 ranges=192.168.200.10-192.168.200.200
/ip dhcp-server
add address-pool=pool3 interface=vlan10 name=dhcp1
add address-pool=pool_VLAN100 interface=vlan100_Iso name=dhcp_VLAN100
add address-pool=pool_VLAN200 interface=vlan200_Control name=dhcp_VLAN200
/interface bridge port
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged interface=ether2 \
    pvid=10
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged interface=ether3 \
    pvid=200
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged interface=ether4 \
    pvid=100
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged interface=ether5 \
    pvid=10
/interface bridge vlan
add bridge=bridge1 tagged=bridge1 untagged=ether3 vlan-ids=200
add bridge=bridge1 tagged=bridge1 untagged=ether4 vlan-ids=100
add bridge=bridge1 tagged=bridge1 untagged=ether2,ether5 vlan-ids=10
/ip address
add address=192.168.88.1/24 comment="Normal LAN" interface=vlan10 network=192.168.88.0
add address=192.168.100.1/24 comment="Isolated VLAN100 " interface=vlan100_Iso network=\
    192.168.100.0
add address=192.168.200.1/24 comment="VLAN200 " interface=vlan200_Control network=\
    192.168.200.0
/ip dhcp-server network
add address=192.168.88.0/24 dns-server=1.1.1.1,8.8.8.8 gateway=192.168.88.1
add address=192.168.100.0/24 dns-none=yes gateway=192.168.100.1
add address=192.168.200.0/24 dns-none=yes gateway=192.168.200.1
/ip dns
set allow-remote-requests=yes
/ip firewall filter
add action=accept chain=input comment="accept established,related,untracked" \
    connection-state=established,related,untracked
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=accept chain=input comment=ICMP protocol=icmp
add action=accept chain=input comment="trusted admin access" in-interface=vlan10
add action=accept chain=input comment="nvr to dns" dst-port=53 in-interface=\
    vlan200_Control protocol=udp
add action=accept chain=input comment="nvr to dns" dst-port=53 in-interface=\
    vlan200_Control protocol=tcp
add action=drop chain=input comment="drop all else"
add action=fasttrack-connection chain=forward comment="fasttrack established,related" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="accept established,related" connection-state=\
    established,related
add action=drop chain=forward comment="drop invalid" connection-state=invalid
# pppoe-out1 not ready
add action=accept chain=forward comment="nvr access" in-interface=vlan200_Control \
    out-interface=pppoe-out1
# pppoe-out1 not ready
add action=drop chain=forward comment="drop dial out for vlan100" in-interface=\
    vlan100_Iso out-interface=pppoe-out1
# pppoe-out1 not ready
add action=accept chain=forward comment="internet access" in-interface=vlan10 \
    out-interface=pppoe-out1
add action=accept chain=forward comment="nvr to cameras" in-interface=vlan200_Control \
    out-interface=vlan100_Iso
add action=accept chain=forward comment="cameras to nvr" in-interface=vlan100_Iso \
    out-interface=vlan200_Control
add action=drop chain=forward comment="drop all else"

anav · May 2, 2025, 12:11pm

Hmm probably a few errors, lets see what we can ascertain.

This rule is not required. If you note that the last rule states DROP ALL ELSE, this means anything above this rule NOT allowed will automatically be dropped
so this rule is not wrong but simply not needed.
add action=drop chain=forward comment=“drop dial out for vlan100” in-interface=
vlan100_Iso out-interface=pppoe-out1
Also you changed the dhcp server and need to change it back for vlan200 ( preventing vlan200 internet access )
from
add address=192.168.200.0/24 dns-none=yes gateway=192.168.200.1
TO:
add address=192.168.200.0/24 dns-server=1.1.1.1,8.8.8.8 gateway=192.168.200.1

\
What is concerning is the pppoe warning messages that the router is pumpiing out
# pppoe-out1 not ready

But will see if items 1, and 2, get you further along
Please test if the nvr and cameras can see each other (forget pinging for now) and also if vlan200 can reach internet.

sysroot · May 2, 2025, 3:35pm

Hmm probably a few errors, lets see what we can ascertain.

Hi anav!

Thank you, for pointing out these mistakes.

I’ve managed to get it working…

I agree that that firewall rule is redundant, but for testing its great, because it shows how many packets are dropped by it.
Yes I agree that the DNS misconfiguration was definitely a huge mistake.

BUT I have a theory of what the real trouble was. For testing I haven’t pugged in the WAN cable (so i can still have internet to browse the online docs), therefore the pppoe interface could not start up. I sill dont understand why but I believe that this somehow prevented the firewall from working…

So please confirm that this could be a thing on MikroTik?
Thank you again for your help! I learned a lot from it!!!

anav · May 2, 2025, 5:03pm

Probably related… Should be good to go.