Bridge VLAN filtering

Hi folks!

I am trying to understand how VLAN filtering is working - therefore i set up a little test environment.

involved hardware:
Router 1: hEXs
Router 2: RB951G (VLAN switch presenting some untagged ports - not yet productive)
cAP: for wifi, managed by cAPsman on Router 1

Logic:
VLAN1: 192.168.1.x, administrative
VLAN2: 192.168.2.x, DMZ, NASes
VLAN3: 192.168.3.x, IOT devices, www but no access to clients or dmz
VLAN4: 192.168.4.x, “hot” zone, isolated and no www
VLAN10: 192.168.10.x, Clients, Tablets, desktops
VLAN100: 192.168.100.x, guests

current setup:
router is a hEXs
firewall is wide open until basic functions are established

mainbridge VLAN filtering = on
eth1: WAN
eth2: VLAN10 untagged → e.g. local Client PC sitting on 192.168.10.7
eth3: VLAN2 untagged → e.g. NAS1 192.168.2.111 and NAS2 192.168.2.112
eth4: trunk tagged
eth5: VLAN10 untagged → cAP for wlans

Working
VLAN filtering
untagged ports are fine
dhcp is working
internet access is ok
NAT is ok

Questions
I can ping and access my 2 NASes (192.168.2.x sitting in VLAN2) from a VLAN10 client (192.168.10.7), but I cannot ping them from each other? (traceroute shows 1 hop and (!H) unreachable.
What am I missing?
Any hint is highly appreciated

NAS1:

[~] # ifconfig eth0
eth0      Link encap:Ethernet  HWaddr 24:5E:BE:0E:81:CA
          inet addr:192.168.2.111  Bcast:192.168.2.255  Mask:255.255.255.0
          UP BROADCAST NOTRAILERS RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:195372901 errors:0 dropped:0 overruns:0 frame:0
          TX packets:148956135 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:253944645608 (236.5 GiB)  TX bytes:131403311187 (122.3 GiB)
          Memory:fe600000-fe67ffff

[~] # route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         192.168.2.1     0.0.0.0         UG    0      0        0 eth0
ping 1910.8.0.0        10.8.0.2        255.255.255.0   UG    0      0        0 t                                                    un0
10.8.0.2        *               255.255.255.255 UH    0      0        0 tun0
127.0.0.0       *               255.0.0.0       U     0      0        0 lo
192.168.2.0     *               255.255.255.0   U     0      0        0 eth0
224.0.0.0       *               240.0.0.0       U     0      0        0 eth0
[~] # ping 192.168.2.112
PING 192.168.2.112 (192.168.2.112): 56 data bytes
^C
--- 192.168.2.112 ping statistics ---
3 packets transmitted, 0 packets received, 100% packet loss

NAS2:

root@127.0.0.1:~# ifconfig eth0
eth0      Link encap:Ethernet  HWaddr 00:14:FD:15:A1:D2
          inet addr:192.168.2.112  Bcast:192.168.2.255  Mask:255.255.255.0
          inet6 addr: fe80::214:fdff:fe15:a1d2/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:23099 errors:0 dropped:0 overruns:0 frame:0
          TX packets:6203 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:2902870 (2.7 MiB)  TX bytes:2954910 (2.8 MiB)

root@127.0.0.1:~# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.161.210.2    *               255.255.255.255 UH    0      0        0 tun0
10.161.210.0    10.161.210.2    255.255.255.0   UG    0      0        0 tun0
192.168.2.0     *               255.255.255.0   U     0      0        0 eth1
192.168.2.0     *               255.255.255.0   U     0      0        0 eth0
127.0.0.0       *               255.0.0.0       U     0      0        0 lo
ping 192.168.2.default         192.168.2.1     0.0.0.0         UG    0      0        0 eth0
root@127.0.0.1:~# ping 192.168.2.111
PING 192.168.2.111 (192.168.2.111): 56 data bytes
^C
--- 192.168.2.111 ping statistics ---
3 packets transmitted, 0 packets received, 100% packet loss

current config of router 1 / hEXs:

# aug/25/2018 10:16:22 by RouterOS 6.42.7
# software id = SVCD-AT91
#
# model = RB760iGS
# serial number = 87F208623453
/interface bridge
add admin-mac=CC:2D:E0:EF:0E:CF auto-mac=no name=mainbridge vlan-filtering=\
    yes
/interface ethernet
set [ find default-name=ether1 ] name=ether1-WAN
set [ find default-name=ether2 ] name=ether2-vlan10-clients
set [ find default-name=ether3 ] name=ether3-vlan2-dmz
set [ find default-name=ether4 ] disabled=yes name=ether4-trunk
set [ find default-name=ether5 ] name=ether5-vlan10-wlan poe-out=forced-on
/interface vlan
add interface=mainbridge name=vlan1 vlan-id=1
add interface=mainbridge name=vlan2 vlan-id=2
add interface=mainbridge name=vlan3 vlan-id=3
add interface=mainbridge name=vlan4 vlan-id=4
add interface=mainbridge name=vlan10 vlan-id=10
add interface=mainbridge name=vlan100 vlan-id=100
/caps-man security
add authentication-types=wpa2-psk encryption=aes-ccm,tkip name=sec_mafia
add authentication-types=wpa2-psk encryption=aes-ccm,tkip name=sec_iot
add authentication-types=wpa2-psk encryption=aes-ccm,tkip name=sec_gast
/caps-man configuration
add channel.band=5ghz-a/n/ac name=cfg-mafia_ac security=sec_mafia ssid=\
    Mafia_AC
add channel.band=2ghz-b/g/n name=cfg-mafia_bgn security=sec_mafia ssid=\
    Mafia_BGN
add channel.band=2ghz-b/g/n name=cfg-gast security=sec_gast ssid=\
    Komm_nackt_und_bring_Bier
add channel.band=2ghz-b/g/n name=cfg-iot security=sec_iot ssid=Mafia_IoT
/caps-man interface
add configuration=cfg-mafia_bgn disabled=no l2mtu=1600 mac-address=\
    CC:2D:E0:ED:04:0D master-interface=none name=cap1-mafia_bgn radio-mac=\
    CC:2D:E0:ED:04:0D security=sec_mafia
add configuration=cfg-mafia_ac disabled=no l2mtu=1600 mac-address=\
    CC:2D:E0:ED:04:0E master-interface=none name=cap2-mafia_ac radio-mac=\
    CC:2D:E0:ED:04:0E security=sec_mafia
add configuration=cfg-gast disabled=no mac-address=CE:2D:E0:ED:04:0E \
    master-interface=cap1-mafia_bgn name=cap1-gast radio-mac=\
    00:00:00:00:00:00 security=sec_gast
add configuration=cfg-iot disabled=no l2mtu=1600 mac-address=\
    CE:2D:E0:ED:04:0D master-interface=cap1-mafia_bgn name=cap1-iot \
    radio-mac=00:00:00:00:00:00 security=sec_iot
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk group-ciphers=\
    tkip,aes-ccm supplicant-identity=MikroTik unicast-ciphers=tkip,aes-ccm
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp_pool-vlan1 ranges=192.168.1.2-192.168.1.254
add name=dhcp_pool-vlan10 ranges=192.168.10.2-192.168.10.254
add name=dhcp_pool-vlan2 ranges=192.168.2.2-192.168.2.254
add name=dhcp_pool-vlan3 ranges=192.168.3.2-192.168.3.254
add name=dhcp_pool-vlan4 ranges=192.168.4.2-192.168.4.254
add name=dhcp_pool-vlan100 ranges=192.168.100.2-192.168.100.254
/ip dhcp-server
add address-pool=dhcp_pool-vlan1 disabled=no interface=vlan1 name=dhcp-vlan1
add address-pool=dhcp_pool-vlan10 disabled=no interface=vlan10 name=\
    dhcp-vlan10
add address-pool=dhcp_pool-vlan2 disabled=no interface=vlan2 name=dhcp-vlan2
add address-pool=dhcp_pool-vlan3 disabled=no interface=vlan3 name=dhcp-vlan3
add address-pool=dhcp_pool-vlan4 disabled=no interface=vlan4 name=dhcp-vlan4
add address-pool=dhcp_pool-vlan100 disabled=no interface=vlan100 name=\
    dhcp-vlan100
/caps-man manager
set ca-certificate=auto certificate=auto enabled=yes
/interface bridge port
add bridge=mainbridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether2-vlan10-clients pvid=10
add bridge=mainbridge interface=ether4-trunk
add bridge=mainbridge interface=ether5-vlan10-wlan pvid=10
add bridge=mainbridge interface=sfp1
add bridge=mainbridge interface=vlan1
add bridge=mainbridge frame-types=admit-only-vlan-tagged interface=vlan2 \
    pvid=2
add bridge=mainbridge frame-types=admit-only-vlan-tagged interface=vlan3 \
    pvid=3
add bridge=mainbridge frame-types=admit-only-vlan-tagged interface=vlan4 \
    pvid=4
add bridge=mainbridge frame-types=admit-only-vlan-tagged interface=vlan10 \
    pvid=10
add bridge=mainbridge frame-types=admit-only-vlan-tagged interface=vlan100 \
    pvid=100
add bridge=mainbridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether3-vlan2-dmz pvid=2
add bridge=mainbridge interface=cap1-gast pvid=100
add bridge=mainbridge interface=cap1-iot pvid=3
add bridge=mainbridge interface=cap1-mafia_bgn pvid=10
add bridge=mainbridge interface=cap2-mafia_ac pvid=10
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=mainbridge tagged=mainbridge,vlan1 untagged=ether4-trunk vlan-ids=\
    1
add bridge=mainbridge tagged=mainbridge,vlan2 untagged=ether3-vlan2-dmz \
    vlan-ids=2
add bridge=mainbridge tagged=mainbridge,vlan3 untagged=cap1-iot vlan-ids=3
add bridge=mainbridge tagged=mainbridge,vlan4 vlan-ids=4
add bridge=mainbridge tagged=mainbridge,vlan10 untagged=\
    ether2-vlan10-clients,ether5-vlan10-wlan,cap1-mafia_bgn,cap2-mafia_ac \
    vlan-ids=10
add bridge=mainbridge tagged=mainbridge,vlan100 untagged=cap1-gast vlan-ids=\
    100
/interface list member
add comment=defconf interface=mainbridge list=LAN
add comment=defconf interface=ether1-WAN list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2-vlan10-clients \
    network=192.168.88.0
add address=192.168.1.1/24 interface=vlan1 network=192.168.1.0
add address=192.168.2.1/24 interface=vlan2 network=192.168.2.0
add address=192.168.3.1/24 interface=vlan3 network=192.168.3.0
add address=192.168.4.1/24 interface=vlan4 network=192.168.4.0
add address=192.168.10.1/24 interface=vlan10 network=192.168.10.0
add address=192.168.100.1/24 interface=vlan100 network=192.168.100.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=\
    ether1-WAN
/ip dhcp-server lease
add address=192.168.2.111 mac-address=24:5E:BE:0E:81:CA server=dhcp-vlan2
add address=192.168.10.104 client-id=1:b8:27:eb:66:59:a9 mac-address=\
    B8:27:EB:66:59:A9 server=dhcp-vlan10
add address=192.168.2.22 client-id=1:30:cd:a7:11:eb:be mac-address=\
    30:CD:A7:11:EB:BE server=dhcp-vlan2
add address=192.168.10.2 client-id=1:cc:2d:e0:ed:4:b mac-address=\
    CC:2D:E0:ED:04:0B server=dhcp-vlan10
add address=192.168.10.103 mac-address=B8:27:EB:14:7A:F9 server=dhcp-vlan10
add address=192.168.3.250 mac-address=34:EA:34:42:F6:7D server=dhcp-vlan3
add address=192.168.2.112 mac-address=00:14:FD:15:A1:D2 server=dhcp-vlan2
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=192.168.100.1,8.8.8.8 gateway=\
    192.168.1.1
add address=192.168.2.0/24 dns-server=192.168.2.1,8.8.8.8 gateway=192.168.2.1
add address=192.168.3.0/24 dns-server=192.168.3.1,8.8.8.8 gateway=192.168.3.1
add address=192.168.4.0/24 dns-server=192.168.4.1,8.8.8.8 gateway=192.168.4.1
add address=192.168.10.0/24 dns-server=192.168.10.1,8.8.8.8 gateway=\
    192.168.10.1
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
add address=192.168.100.0/24 dns-server=192.168.100.1,8.8.8.8 gateway=\
    192.168.100.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=router.lan
/ip firewall filter
add action=accept chain=input in-interface=all-ethernet
add action=accept chain=forward in-interface=all-ethernet
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    disabled=yes in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=8888 in-interface=ether1-WAN \
    protocol=tcp to-addresses=192.168.2.111 to-ports=443
add action=dst-nat chain=dstnat dst-port=8082 in-interface=ether1-WAN \
    protocol=tcp to-addresses=192.168.10.104 to-ports=8081
add action=dst-nat chain=dstnat dst-port=8083 in-interface=ether1-WAN \
    protocol=tcp to-addresses=192.168.10.103 to-ports=8081
add action=dst-nat chain=dstnat dst-port=58050 in-interface=ether1-WAN \
    protocol=tcp to-addresses=192.168.2.111 to-ports=58050
add action=dst-nat chain=dstnat dst-port=60022 in-interface=ether1-WAN \
    protocol=tcp to-addresses=192.168.2.111 to-ports=22
add action=dst-nat chain=dstnat dst-port=21 in-interface=ether1-WAN protocol=\
    tcp to-addresses=192.168.2.111
add action=dst-nat chain=dstnat dst-port=30034-32000,55536-56559 \
    in-interface=ether1-WAN protocol=tcp to-addresses=192.168.2.111
add action=dst-nat chain=dstnat dst-port=82,8081 in-interface=ether1-WAN \
    protocol=tcp to-addresses=192.168.2.111
add action=dst-nat chain=dstnat dst-port=58051 in-interface=ether1-WAN \
    protocol=tcp to-addresses=192.168.2.111 to-ports=58051
/ip service
set telnet disabled=yes
/system clock
set time-zone-name=Europe/Vienna
/system identity
set name=MikroTik_hEXs
/system routerboard settings
# Firmware upgraded successfully, please reboot for changes to take effect!
set silent-boot=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool sniffer
set filter-interface=mainbridge filter-ip-address=192.168.2.112/32

You have your VLAN interfaces created on top of the bridge added to the same bridge as bridge ports.
That’s not right.
Remove all VLAN interfaces from bridge ports.
And then add the bridge itself as a tagged member of each VLAN that have a corresponding VLAN interface.

How’s eth1 on NAS2 configured and does it have any physical connection?

In routing table there are two routes towards network 192.168.2.0, one per eth interface. I guess NAS2 randomly chooses interface to communicate with devices on same subnet while it uses eth0 to communicate with rest of the world (including other LAN segments) as default route is using that.

Edit: while @xvo might be right about VLAN configuration on RB, this doesn’t explain why devices in same subnet, connected to same ether port on RB (which implies use of some ethernet switch for that subnet) can not communicate with each other … this communication should completely bypass RB.

Found another thing in your config, that you will need to add, after removing VLAN interfaces from being the bridge ports.

In your interface lists you have only bridge added as a member of LAN.
This works for all interfaces, that are ports of the bridge.
But not the interfaces, that are created on top of the bridge.
So you will also need to add desired VLAN interfaces to the LAN list independently.

I guess i mixed up old and new wiki documentation

@xvo: Just to be sure - you say it has to look like this?

/interface bridge
add admin-mac=CC:2D:E0:EF:0E:CF auto-mac=no name=mainbridge vlan-filtering=\
    yes
/interface vlan
add interface=mainbridge name=vlan1 vlan-id=1
add interface=mainbridge name=vlan2 vlan-id=2
add interface=mainbridge name=vlan3 vlan-id=3
add interface=mainbridge name=vlan4 vlan-id=4
add interface=mainbridge name=vlan10 vlan-id=10
add interface=mainbridge name=vlan100 vlan-id=100

/interface bridge port
add bridge=mainbridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether2-vlan10-clients pvid=10
add bridge=mainbridge interface=ether4-trunk
add bridge=mainbridge interface=ether5-vlan10-wlan pvid=10
add bridge=mainbridge interface=sfp1
add bridge=mainbridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether3-vlan2-dmz pvid=2
add bridge=mainbridge interface=cap1-gast pvid=100
add bridge=mainbridge interface=cap1-iot pvid=3
add bridge=mainbridge interface=cap1-mafia_bgn pvid=10
add bridge=mainbridge interface=cap2-mafia_ac pvid=10

/interface bridge vlan
add bridge=mainbridge tagged=mainbridge untagged=ether4-trunk vlan-ids=1
add bridge=mainbridge tagged=mainbridge untagged=ether3-vlan2-dmz vlan-ids=2
add bridge=mainbridge tagged=mainbridge untagged=cap1-iot vlan-ids=3
add bridge=mainbridge tagged=mainbridge vlan-ids=4
add bridge=mainbridge tagged=mainbridge untagged=\
    ether2-vlan10-clients,ether5-vlan10-wlan,cap1-mafia_bgn,cap2-mafia_ac \
    vlan-ids=10
add bridge=mainbridge tagged=mainbridge untagged=cap1-gast vlan-ids=100

/interface list member
add comment=defconf interface=mainbridge list=LAN
add comment=defconf interface=ether1-WAN list=WAN
add interface=vlan1 list=LAN
add interface=vlan2 list=LAN
add interface=vlan3 list=LAN
add interface=vlan4 list=LAN
add interface=vlan10 list=LAN
add interface=vlan100 list=LAN

@mkx: You are absolutely right - on NAS2 there was an old config for the unused eth1 in the same subnet as its eth0 - deactivated this and now the 2 NAS can communicate

Yes, now you are ok!

Fine thanks - I still have a lot to learn about VLANs

Now the 2 NAS are fine in VLAN2 living on physical ports and I have to find out why 2 devices in VLAN3 cannot talk to each other (both connected via CAP1-iot) before I can move on with stage 2 (getting another VLAN switch running on the trunk port to offer physical ports in another room)

Do read this thread and you will understand some more.
http://forum.mikrotik.com/t/sofware-vlan-bridge-on-ruteros-explained/122534/1
At the bottom, you will find how to do it with >=6.41 software.

Check cap’s datapath settings for “client to client forwarding” to be enabled.

@xvo: Unfortunately, the client 2 client forwarding as well as local forwarding is not the solution: still no connection within VLAN3 via wifi.

@jotne: Thanks for the link - I will go reading now!

It should be something on the devices themselves then, just like it was with NAS2

I just put 2 simple windows clients in there - both got DHCP, good looking routes but still no ping. As it works wired, I guess I messed up the way I bridged the caps and the vlan together …
I am going back over the docs again

Thanks for the link - additionally I read through the docs again and so far it looks good now for the main router (hEXs) and its cAPs

One small problem remains: I configured a second router (RB951) as a VLAN switch in order to break out some VLAN ports in another room.

I followed the same principles like in the working main router (except eth1 as trunk, eth2 untagged with VLAN2, eth3 → VLAN3, eth4 → VLAN4, eth5 → VLAN10) but I must have missed an important point: it doesnt matter on which port i plug a client: I always get an VLAN1 adress (192.168.1.x)


Config Mainrouter hEXs:

/caps-man configuration
add datapath.local-forwarding=yes datapath.vlan-id=100 datapath.vlan-mode=\
    use-tag name=cfg-gast security.authentication-types=wpa2-psk \
    security.encryption=aes-ccm,tkip ssid=Komm_nackt_und_bring_Bier
add datapath.local-forwarding=yes datapath.vlan-id=3 datapath.vlan-mode=\
    use-tag name=cfg-iot security.authentication-types=wpa2-psk ssid=\
    Mafia_IoT
add datapath.local-forwarding=yes datapath.vlan-id=10 datapath.vlan-mode=\
    use-tag name=cfg-Mafia security.authentication-types=wpa2-psk \
    security.encryption=aes-ccm,tkip ssid=Mafia
/interface bridge
add admin-mac=CC:2D:E0:EF:0E:CF auto-mac=no name=mainbridge vlan-filtering=\
    yes
/interface ethernet
set [ find default-name=ether1 ] name=ether1-WAN
set [ find default-name=ether2 ] name=ether2-vlan10-clients
set [ find default-name=ether3 ] name=ether3-vlan2-dmz
set [ find default-name=ether4 ] name=ether4-trunk
set [ find default-name=ether5 ] name=ether5-vlan10-wlan poe-out=forced-on
/interface vlan
add interface=mainbridge name=vlan1 vlan-id=1
add interface=mainbridge name=vlan2 vlan-id=2
add interface=mainbridge name=vlan3 vlan-id=3
add interface=mainbridge name=vlan4 vlan-id=4
add interface=mainbridge name=vlan10 vlan-id=10
add interface=mainbridge name=vlan100 vlan-id=100
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk group-ciphers=\
    tkip,aes-ccm supplicant-identity=MikroTik unicast-ciphers=tkip,aes-ccm
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp_pool-vlan1 ranges=192.168.1.2-192.168.1.254
add name=dhcp_pool-vlan10 ranges=192.168.10.2-192.168.10.254
add name=dhcp_pool-vlan2 ranges=192.168.2.2-192.168.2.254
add name=dhcp_pool-vlan3 ranges=192.168.3.2-192.168.3.254
add name=dhcp_pool-vlan4 ranges=192.168.4.2-192.168.4.254
add name=dhcp_pool-vlan100 ranges=192.168.100.2-192.168.100.254
/ip dhcp-server
add address-pool=dhcp_pool-vlan1 disabled=no interface=vlan1 name=dhcp-vlan1
add address-pool=dhcp_pool-vlan10 disabled=no interface=vlan10 name=\
    dhcp-vlan10
add address-pool=dhcp_pool-vlan2 disabled=no interface=vlan2 name=dhcp-vlan2
add address-pool=dhcp_pool-vlan3 disabled=no interface=vlan3 name=dhcp-vlan3
add address-pool=dhcp_pool-vlan4 disabled=no interface=vlan4 name=dhcp-vlan4
add address-pool=dhcp_pool-vlan100 disabled=no interface=vlan100 name=\
    dhcp-vlan100
/caps-man manager
set ca-certificate=auto certificate=auto enabled=yes
/caps-man provisioning
add action=create-dynamic-enabled master-configuration=cfg-Mafia \
    slave-configurations=cfg-gast,cfg-iot
/interface bridge port
add bridge=mainbridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether2-vlan10-clients pvid=10
add bridge=mainbridge interface=ether4-trunk
add bridge=mainbridge interface=ether5-vlan10-wlan
add bridge=mainbridge interface=sfp1
add bridge=mainbridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether3-vlan2-dmz pvid=2
/ip neighbor discovery-settings
set discover-interface-list=all
/interface bridge vlan
add bridge=mainbridge tagged=mainbridge untagged=\
    ether4-trunk,vlan1,ether5-vlan10-wlan vlan-ids=1
add bridge=mainbridge tagged=mainbridge untagged=ether3-vlan2-dmz vlan-ids=2
add bridge=mainbridge tagged=mainbridge,ether5-vlan10-wlan vlan-ids=3
add bridge=mainbridge tagged=mainbridge,ether4-trunk vlan-ids=4
add bridge=mainbridge tagged=mainbridge,ether5-vlan10-wlan untagged=\
    ether2-vlan10-clients vlan-ids=10
add bridge=mainbridge tagged=mainbridge,ether5-vlan10-wlan vlan-ids=100
/interface list member
add comment=defconf interface=mainbridge list=LAN
add comment=defconf interface=ether1-WAN list=WAN
add interface=vlan1 list=LAN
add disabled=yes interface=vlan2 list=LAN
add interface=vlan3 list=LAN
add interface=vlan4 list=LAN
add interface=vlan10 list=LAN
add interface=vlan100 list=LAN
/ip address
add address=192.168.1.1/24 interface=vlan1 network=192.168.1.0
add address=192.168.2.1/24 interface=vlan2 network=192.168.2.0
add address=192.168.3.1/24 interface=vlan3 network=192.168.3.0
add address=192.168.4.1/24 interface=vlan4 network=192.168.4.0
add address=192.168.10.1/24 interface=vlan10 network=192.168.10.0
add address=192.168.100.1/24 interface=vlan100 network=192.168.100.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=\
    ether1-WAN
/ip dhcp-server lease
add address=192.168.2.111 mac-address=24:5E:BE:0E:81:CA server=dhcp-vlan2
add address=192.168.10.104 client-id=1:b8:27:eb:66:59:a9 mac-address=\
    B8:27:EB:66:59:A9 server=dhcp-vlan10
add address=192.168.2.22 client-id=1:30:cd:a7:11:eb:be mac-address=\
    30:CD:A7:11:EB:BE server=dhcp-vlan2
add address=192.168.10.103 mac-address=B8:27:EB:14:7A:F9 server=dhcp-vlan10
add address=192.168.3.250 mac-address=34:EA:34:42:F6:7D server=dhcp-vlan3
add address=192.168.2.112 mac-address=00:14:FD:15:A1:D2 server=dhcp-vlan2
add address=192.168.1.2 client-id=1:cc:2d:e0:ed:4:b mac-address=\
    CC:2D:E0:ED:04:0B server=dhcp-vlan1
add address=192.168.1.3 client-id=1:d4:ca:6d:6:11:6c mac-address=\
    D4:CA:6D:06:11:6C server=dhcp-vlan1
add address=192.168.3.246 mac-address=F0:FE:6B:72:B8:1E server=dhcp-vlan3
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=192.168.100.1,8.8.8.8 gateway=\
    192.168.1.1
add address=192.168.2.0/24 dns-server=192.168.2.1,8.8.8.8 gateway=192.168.2.1
add address=192.168.3.0/24 dns-server=192.168.3.1,8.8.8.8 gateway=192.168.3.1
add address=192.168.4.0/24 dns-server=192.168.4.1,8.8.8.8 gateway=192.168.4.1
add address=192.168.10.0/24 dns-server=192.168.10.1,8.8.8.8 gateway=\
    192.168.10.1
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
add address=192.168.100.0/24 dns-server=192.168.100.1,8.8.8.8 gateway=\
    192.168.100.1
/ip dns
set allow-remote-requests=yes
/ip firewall filter
add action=accept chain=input in-interface=all-ethernet
add action=accept chain=forward in-interface=all-ethernet
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid disabled=yes
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    disabled=yes in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid disabled=yes
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=8888 in-interface=ether1-WAN \
    protocol=tcp to-addresses=192.168.2.111 to-ports=443
add action=dst-nat chain=dstnat dst-port=8082 in-interface=ether1-WAN \
    protocol=tcp to-addresses=192.168.10.104 to-ports=8081
add action=dst-nat chain=dstnat dst-port=8083 in-interface=ether1-WAN \
    protocol=tcp to-addresses=192.168.10.103 to-ports=8081
add action=dst-nat chain=dstnat dst-port=58050 in-interface=ether1-WAN \
    protocol=tcp to-addresses=192.168.2.111 to-ports=58050
add action=dst-nat chain=dstnat dst-port=60022 in-interface=ether1-WAN \
    protocol=tcp to-addresses=192.168.2.111 to-ports=22
add action=dst-nat chain=dstnat dst-port=21 in-interface=ether1-WAN protocol=\
    tcp to-addresses=192.168.2.111
add action=dst-nat chain=dstnat dst-port=30034-32000,55536-56559 \
    in-interface=ether1-WAN protocol=tcp to-addresses=192.168.2.111
add action=dst-nat chain=dstnat dst-port=82,8081 in-interface=ether1-WAN \
    protocol=tcp to-addresses=192.168.2.111
add action=dst-nat chain=dstnat dst-port=58051 in-interface=ether1-WAN \
    protocol=tcp to-addresses=192.168.2.111 to-ports=58051
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set www-ssl certificate=cert-ssl disabled=no
/system clock
set time-zone-name=Europe/Vienna
/system identity
set name=MikroTik_hEXs
/system routerboard settings
set silent-boot=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool sniffer
set filter-interface=mainbridge filter-ip-address=192.168.3.250/32

Config “VLAN Switch” RB951G:

# model = 951G-2HnD
# serial number = 4699025A5BB0
/interface bridge
add admin-mac=D4:CA:6D:06:11:6D auto-mac=no comment=defconf name=bridge
add fast-forward=no name=vlanbridge vlan-filtering=yes
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce \
    disabled=no distance=indoors frequency=auto mode=ap-bridge ssid=\
    MikroTik-061171 wireless-protocol=802.11
/interface ethernet
set [ find default-name=ether1 ] name=ether1-trunk
/interface vlan
add interface=vlanbridge name=vlan1 vlan-id=1
add interface=vlanbridge name=vlan2 vlan-id=2
add interface=vlanbridge name=vlan3 vlan-id=3
add interface=vlanbridge name=vlan4 vlan-id=4
add interface=vlanbridge name=vlan10 vlan-id=10
add interface=vlanbridge name=vlan100 vlan-id=100
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=vlanbridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether2 pvid=2
add bridge=vlanbridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether3 pvid=3
add bridge=vlanbridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether4 pvid=4
add bridge=vlanbridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether5 pvid=10
add bridge=bridge comment=defconf interface=wlan1
add bridge=vlanbridge interface=ether1-trunk
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=vlanbridge tagged=bridge untagged=ether1-trunk vlan-ids=1
add bridge=vlanbridge tagged=bridge untagged=ether2 vlan-ids=2
add bridge=vlanbridge tagged=vlanbridge untagged=ether3 vlan-ids=3
add bridge=vlanbridge tagged=bridge untagged=ether4 vlan-ids=4
add bridge=vlanbridge tagged=bridge untagged=ether5 vlan-ids=10
add bridge=vlanbridge tagged=bridge vlan-ids=100
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1-trunk list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=192.168.4.1/24 interface=vlan4 network=192.168.4.0
/ip dhcp-client
# DHCP client can not run on slave interface!
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=\
    ether1-trunk
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input
add action=accept chain=forward
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid disabled=yes
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    disabled=yes in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid disabled=yes
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/system clock
set time-zone-name=Europe/Vienna
/system identity
set name=MikroTik_rb951
/system routerboard settings
set silent-boot=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

You still have one of the vlans left as bridge port:

add bridge=mainbridge tagged=mainbridge untagged=\
    ether4-trunk,vlan1,ether5-vlan10-wlan vlan-ids=1

And on your RB951 ether1-trunk is not a trunk really, it gets only vlan1 untagged, and that’s all:

/interface bridge vlan
add bridge=vlanbridge tagged=bridge untagged=ether1-trunk vlan-ids=1
add bridge=vlanbridge tagged=bridge untagged=ether2 vlan-ids=2
add bridge=vlanbridge tagged=vlanbridge untagged=ether3 vlan-ids=3
add bridge=vlanbridge tagged=bridge untagged=ether4 vlan-ids=4
add bridge=vlanbridge tagged=bridge untagged=ether5 vlan-ids=10
add bridge=vlanbridge tagged=bridge vlan-ids=100

And what is “tagged=bridge” btw?

Just a warning: RB951G is not capable of wire-speed switching when VLANs are configured in /interface bridge port and /interface bridge vlan. I suggest to do it in /interface ethernet switch.

For example, check this topic.

@mkx
Does this still matter when licht77 has different VLAN on each port? I thought that the wirespeed was achieved when you was sending data within one VLAN. Here data needs to pass some L# to get to another VLAN.

If due to some other reason every bit of data has to pass CPU anyway, then lack of HW offload due to VLAN filtering on bridge doesn’t matter. But then I understand what licht77 wrote in sense that he is going to use RB951G as a switch as well (at least he’s mentioning ether4 as sort of trunk port, we just don’t know in what way yet), so …

Due to my lack of knowledge and experience I am not that far to concern about performance - although I understand that it is a real big difference if you just use a software bridge or a switch chip

so far my setup is far from beeing optimized but it “kinda starts acting like wanted”…

At this point, the RB951 already works as a “switch” and is offering the mainrouters (hEXs) VLANs via its ports in another room.
Additionally, a cAPs is plugged in the mainouter and is provisioning different SSIDs within the VLANs.

So far so good… I have to find out why I cannot access the switch via its VLAN1 (management) IP and then I will do some performance tests and optimizations.

And as sharing is caring

Current config of the mainrouter:

/caps-man configuration
add datapath.local-forwarding=yes datapath.vlan-id=100 datapath.vlan-mode=\
    use-tag name=cfg-gast security.authentication-types=wpa2-psk \
    security.encryption=aes-ccm,tkip ssid=Komm_nackt_und_bring_Bier
add datapath.local-forwarding=yes datapath.vlan-id=3 datapath.vlan-mode=\
    use-tag name=cfg-iot security.authentication-types=wpa2-psk ssid=\
    Mafia_IoT
add datapath.local-forwarding=yes datapath.vlan-id=10 datapath.vlan-mode=\
    use-tag name=cfg-Mafia security.authentication-types=wpa2-psk \
    security.encryption=aes-ccm,tkip ssid=Mafia
/interface bridge
add admin-mac=CC:2D:E0:EF:0E:CF auto-mac=no name=mainbridge vlan-filtering=\
    yes
/interface ethernet
set [ find default-name=ether1 ] name=ether1-WAN
set [ find default-name=ether2 ] name=ether2-vlan10-clients
set [ find default-name=ether3 ] name=ether3-vlan2-dmz
set [ find default-name=ether4 ] name=ether4-trunk
set [ find default-name=ether5 ] name=ether5-vlan10-wlan poe-out=forced-on
/interface vlan
add interface=mainbridge name=vlan1 vlan-id=1
add interface=mainbridge name=vlan2 vlan-id=2
add interface=mainbridge name=vlan3 vlan-id=3
add interface=mainbridge name=vlan4 vlan-id=4
add interface=mainbridge name=vlan10 vlan-id=10
add interface=mainbridge name=vlan100 vlan-id=100
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk group-ciphers=\
    tkip,aes-ccm supplicant-identity=MikroTik unicast-ciphers=tkip,aes-ccm
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp_pool-vlan1 ranges=192.168.1.2-192.168.1.254
add name=dhcp_pool-vlan10 ranges=192.168.10.2-192.168.10.254
add name=dhcp_pool-vlan2 ranges=192.168.2.2-192.168.2.254
add name=dhcp_pool-vlan3 ranges=192.168.3.2-192.168.3.254
add name=dhcp_pool-vlan4 ranges=192.168.4.2-192.168.4.254
add name=dhcp_pool-vlan100 ranges=192.168.100.2-192.168.100.254
/ip dhcp-server
add address-pool=dhcp_pool-vlan1 disabled=no interface=vlan1 name=dhcp-vlan1
add address-pool=dhcp_pool-vlan10 disabled=no interface=vlan10 name=\
    dhcp-vlan10
add address-pool=dhcp_pool-vlan2 disabled=no interface=vlan2 name=dhcp-vlan2
add address-pool=dhcp_pool-vlan3 disabled=no interface=vlan3 name=dhcp-vlan3
add address-pool=dhcp_pool-vlan4 disabled=no interface=vlan4 name=dhcp-vlan4
add address-pool=dhcp_pool-vlan100 disabled=no interface=vlan100 name=\
    dhcp-vlan100
/caps-man manager
set ca-certificate=auto certificate=auto enabled=yes
/caps-man provisioning
add action=create-dynamic-enabled master-configuration=cfg-Mafia \
    slave-configurations=cfg-gast,cfg-iot
/interface bridge port
add bridge=mainbridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether2-vlan10-clients pvid=10
add bridge=mainbridge interface=ether4-trunk
add bridge=mainbridge interface=ether5-vlan10-wlan
add bridge=mainbridge interface=sfp1
add bridge=mainbridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether3-vlan2-dmz pvid=2
/ip neighbor discovery-settings
set discover-interface-list=all
/interface bridge vlan
add bridge=mainbridge tagged=mainbridge untagged=\
    ether4-trunk,ether5-vlan10-wlan,vlan1 vlan-ids=1
add bridge=mainbridge tagged=mainbridge,ether4-trunk untagged=\
    ether3-vlan2-dmz vlan-ids=2
add bridge=mainbridge tagged=mainbridge,ether5-vlan10-wlan,ether4-trunk \
    vlan-ids=3
add bridge=mainbridge tagged=mainbridge,ether4-trunk vlan-ids=4
add bridge=mainbridge tagged=mainbridge,ether5-vlan10-wlan,ether4-trunk \
    untagged=ether2-vlan10-clients vlan-ids=10
add bridge=mainbridge tagged=mainbridge,ether5-vlan10-wlan,ether4-trunk \
    vlan-ids=100
/interface list member
add comment=defconf interface=mainbridge list=LAN
add comment=defconf interface=ether1-WAN list=WAN
add interface=vlan1 list=LAN
add disabled=yes interface=vlan2 list=LAN
add interface=vlan3 list=LAN
add interface=vlan4 list=LAN
add interface=vlan10 list=LAN
add interface=vlan100 list=LAN
/ip address
add address=192.168.1.1/24 interface=vlan1 network=192.168.1.0
add address=192.168.2.1/24 interface=vlan2 network=192.168.2.0
add address=192.168.3.1/24 interface=vlan3 network=192.168.3.0
add address=192.168.4.1/24 interface=vlan4 network=192.168.4.0
add address=192.168.10.1/24 interface=vlan10 network=192.168.10.0
add address=192.168.100.1/24 interface=vlan100 network=192.168.100.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=\
    ether1-WAN
/ip dhcp-server lease
add address=192.168.2.111 mac-address=24:5E:BE:0E:81:CA server=dhcp-vlan2
add address=192.168.10.104 always-broadcast=yes client-id=1:b8:27:eb:66:59:a9 \
    mac-address=B8:27:EB:66:59:A9 server=dhcp-vlan10
add address=192.168.2.22 client-id=1:30:cd:a7:11:eb:be mac-address=\
    30:CD:A7:11:EB:BE server=dhcp-vlan2
add address=192.168.10.103 mac-address=B8:27:EB:14:7A:F9 server=dhcp-vlan10
add address=192.168.3.250 mac-address=34:EA:34:42:F6:7D server=dhcp-vlan3
add address=192.168.2.112 mac-address=00:14:FD:15:A1:D2 server=dhcp-vlan2
add address=192.168.1.2 client-id=1:cc:2d:e0:ed:4:b mac-address=\
    CC:2D:E0:ED:04:0B server=dhcp-vlan1
add address=192.168.3.4 always-broadcast=yes mac-address=6C:56:97:65:73:BB \
    server=dhcp-vlan3
add address=192.168.3.3 always-broadcast=yes mac-address=50:DC:E7:6D:E8:AA \
    server=dhcp-vlan3
add address=192.168.1.3 client-id=1:d4:ca:6d:6:11:6c mac-address=\
    D4:CA:6D:06:11:6C server=dhcp-vlan1
add address=192.168.3.246 mac-address=F0:FE:6B:72:B8:1E server=dhcp-vlan3
add address=192.168.3.245 mac-address=00:17:88:7A:B4:13 server=dhcp-vlan3
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=192.168.100.1,8.8.8.8 gateway=\
    192.168.1.1
add address=192.168.2.0/24 dns-server=192.168.2.1,8.8.8.8 gateway=192.168.2.1
add address=192.168.3.0/24 dns-server=192.168.3.1,8.8.8.8 gateway=192.168.3.1
add address=192.168.4.0/24 dns-server=192.168.4.1,8.8.8.8 gateway=192.168.4.1
add address=192.168.10.0/24 dns-server=192.168.10.1,8.8.8.8 gateway=\
    192.168.10.1
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
add address=192.168.100.0/24 dns-server=192.168.100.1,8.8.8.8 gateway=\
    192.168.100.1
/ip dns
set allow-remote-requests=yes
/ip firewall filter
add action=accept chain=input in-interface=all-ethernet
add action=accept chain=forward in-interface=all-ethernet
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid disabled=yes
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    disabled=yes in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid disabled=yes
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=8888 in-interface=ether1-WAN \
    protocol=tcp to-addresses=192.168.2.111 to-ports=443
add action=dst-nat chain=dstnat dst-port=8082 in-interface=ether1-WAN \
    protocol=tcp to-addresses=192.168.10.104 to-ports=8081
add action=dst-nat chain=dstnat dst-port=8083 in-interface=ether1-WAN \
    protocol=tcp to-addresses=192.168.10.103 to-ports=8081
add action=dst-nat chain=dstnat dst-port=58050 in-interface=ether1-WAN \
    protocol=tcp to-addresses=192.168.2.111 to-ports=58050
add action=dst-nat chain=dstnat dst-port=60022 in-interface=ether1-WAN \
    protocol=tcp to-addresses=192.168.2.111 to-ports=22
add action=dst-nat chain=dstnat dst-port=21 in-interface=ether1-WAN protocol=\
    tcp to-addresses=192.168.2.111
add action=dst-nat chain=dstnat dst-port=30034-32000,55536-56559 \
    in-interface=ether1-WAN protocol=tcp to-addresses=192.168.2.111
add action=dst-nat chain=dstnat dst-port=82,8081 in-interface=ether1-WAN \
    protocol=tcp to-addresses=192.168.2.111
add action=dst-nat chain=dstnat dst-port=58051 in-interface=ether1-WAN \
    protocol=tcp to-addresses=192.168.2.111 to-ports=58051
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set www-ssl certificate=cert-ssl disabled=no
/system clock
set time-zone-name=Europe/Vienna
/system identity
set name=MikroTik_hEXs
/system routerboard settings
set silent-boot=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool sniffer
set filter-interface=mainbridge filter-ip-address=192.168.3.250/32

current config of the “switch”:
(ignore the second bridge - thats just a temporary workaround to access the switch via its wifi)

/interface bridge
add admin-mac=D4:CA:6D:06:11:6D auto-mac=no comment=defconf name=bridge
add fast-forward=no name=vlanbridge protocol-mode=none
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce \
    disabled=no distance=indoors frequency=auto mode=ap-bridge ssid=\
    MikroTik-061171 wireless-protocol=802.11
/interface ethernet
set [ find default-name=ether1 ] name=ether1-trunk
/interface vlan
add interface=vlanbridge name=vlan1 vlan-id=1
add interface=vlanbridge name=vlan2 vlan-id=2
add interface=vlanbridge name=vlan3 vlan-id=3
add interface=vlanbridge name=vlan4 vlan-id=4
add interface=vlanbridge name=vlan10 vlan-id=10
add interface=vlanbridge name=vlan100 vlan-id=100
/interface ethernet switch
set 0 mirror-source=ether1-trunk name=switch
/interface ethernet switch port
set 0 vlan-header=add-if-missing vlan-mode=secure
set 1 default-vlan-id=10 vlan-header=always-strip vlan-mode=secure
set 2 default-vlan-id=3 vlan-header=always-strip vlan-mode=secure
set 3 default-vlan-id=3 vlan-header=always-strip vlan-mode=secure
set 4 default-vlan-id=1 vlan-header=always-strip vlan-mode=secure
set 5 vlan-header=add-if-missing vlan-mode=fallback
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
    supplicant-identity=MikroTik unicast-ciphers=tkip,aes-ccm
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=vlanbridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether2 pvid=10
add bridge=vlanbridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether3 pvid=3
add bridge=vlanbridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether4 pvid=3
add bridge=vlanbridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=vlanbridge interface=ether1-trunk
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface ethernet switch vlan
add independent-learning=no ports=switch-cpu,ether1-trunk,ether5 switch=\
    switch vlan-id=1
add independent-learning=no ports=switch-cpu,ether1-trunk switch=switch \
    vlan-id=2
add independent-learning=no ports=switch-cpu,ether1-trunk,ether3,ether4 \
    switch=switch vlan-id=3
add independent-learning=no ports=switch-cpu,ether1-trunk switch=switch \
    vlan-id=4
add independent-learning=no ports=switch-cpu,ether1-trunk,ether2 switch=\
    switch vlan-id=10
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1-trunk list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=192.168.1.1/24 interface=vlanbridge network=192.168.1.0
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=bridge
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input
add action=accept chain=forward
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid disabled=yes
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    disabled=yes in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid disabled=yes
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/system clock
set time-zone-name=Europe/Vienna
/system identity
set name=MikroTik_rb951
/system routerboard settings
set silent-boot=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

VLAN with ID=1 is considered as tagless in ROS … so when you use it, things start to act funny. If you want to have everything tagged, use some other VLAN ID instead.