Can not ping 8.8.8.8 from VLAN. no internet. New to Vlan's Help

Pisanisavich · November 30, 2020, 6:23am

I have setup 5 VLAN’s to isolate IOT, Guest … I can connect to the internet from VLAN 1… (Default) I do not have a firewall setup other than a single NAT masquerade rule out WAN. DHCP works on the VLAN’s. I am unable to ping out or trace route from the VLANS. I have a default route configured. I am at a loss as how to proceed. Help! I followed

# model = 960PGS

/interface bridge
add name=Local_Bridge vlan-filtering=yes
/caps-man interface
add disabled=no mac-address=xx:xx:xx:xx:xx:xx master-interface=none name=cap1 \
    radio-mac=xx:xx:xx:xx:xx:xx radio-name=xxxxxxxx
add disabled=no mac-address=xx:xx:xx:xx:xx:xx master-interface=none name=cap2 \
    radio-mac=xx:xx:xx:xx:xx:xx radio-name=xxxxxxxx
/interface vlan
add interface=Local_Bridge name=VLAN_Home vlan-id=40
add interface=Local_Bridge name=VLAN_GUEST vlan-id=70
add interface=Local_Bridge name=VLAN_IOT vlan-id=60
add interface=Local_Bridge name=VLAN_MGMT vlan-id=24
add interface=Local_Bridge name=VLAN_SECURITY vlan-id=30
add interface=Local_Bridge name=VLAN_TV vlan-id=50
/caps-man security
add authentication-types=wpa2-psk encryption=aes-ccm name=Local passphrase=\
   Xxxx
add authentication-types=wpa2-psk encryption=aes-ccm name=Guest passphrase=\
   Xxxx
add authentication-types=wpa2-psk encryption=aes-ccm name=IOT_Sec passphrase=\
    Xxxx
add authentication-types=wpa2-psk encryption=aes-ccm name=TV_Sec passphrase=\
    Xxxx
add authentication-types=wpa2-psk encryption=aes-ccm name="IP_Cam_Sec " \
    passphrase=“xxxx”
add authentication-types=wpa2-psk encryption=aes-ccm name=Work_Security \
    passphrase=xxxx
add authentication-types=wpa2-psk encryption=aes-ccm name=Home_Sec \
    passphrase=xxxx
/caps-man configuration
add country="united states" datapath.local-forwarding=yes datapath.vlan-id=40 \
    datapath.vlan-mode=no-tag name=Config_Home security=Home_Sec \
    ssid=Caladonia
add country="united states" datapath.local-forwarding=yes datapath.vlan-id=70 \
    datapath.vlan-mode=use-tag name=Config_GUEST security=Guest ssid=\
    Home_Guest
add country="united states" datapath.local-forwarding=yes datapath.vlan-id=30 \
    datapath.vlan-mode=use-tag hide-ssid=yes name=Config_Security security=\
    "IP_Cam_Sec " ssid=Security
add country="united states" datapath.local-forwarding=yes datapath.vlan-id=50 \
    datapath.vlan-mode=use-tag hide-ssid=yes name=Config_TV security=TV_Sec \
    ssid=TV
add country="united states" datapath.local-forwarding=yes datapath.vlan-id=60 \
    datapath.vlan-mode=use-tag hide-ssid=yes name=Config_IOT security=IOT_Sec \
    ssid=IOT
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp ranges=192.168.100.10-192.168.100.20
add name=Home_Pool ranges=192.168.22.1-192.168.22.30
add name=GuestPool ranges=192.168.1.2-192.168.1.43
add name=IOT_Pool ranges=19.168.8.1-192.168.8.50
add name=L2TP_Pool ranges=192.168.22.50-192.168.22.60
add name=TV_pool ranges=192.168.253.1-192.168.253.25
add name=Security_Pool ranges=192.168.1.2-192.168.1.20
/ip dhcp-server
add address-pool=dhcp disabled=no interface=Local_Bridge lease-time=2m name=\
    dhcp1
add address-pool=Home_Pool disabled=no interface=VLAN_Home \
    lease-time=2m name=dhcp_Home
add address-pool=GuestPool disabled=no interface=VLAN_GUEST lease-time=2m name=\
    dhcp_Guest
add address-pool=IOT_Pool disabled=no interface=VLAN_IOT name=dhcp_IOT
add address-pool=TV_pool disabled=no interface=VLAN_TV name=dhcp_TV
add address-pool=Security_Pool disabled=no interface=VLAN_SECURITY name=\
    dhcp_Security
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,passw\
    ord,web,sniff,sensitive,api,romon,dude,tikapp"
/caps-man manager
set ca-certificate=auto certificate=auto enabled=yes
/caps-man provisioning
add action=create-dynamic-enabled disabled=yes master-configuration=\
    Config_Home slave-configurations=\
    Config_GUEST,Config_IOT,Config_Security,Config_TV
add comment=951 disabled=yes master-configuration=Config_TV radio-mac=\
    xx:xx:xx:xx:xx:xx
add comment=Cloud9 disabled=yes master-configuration=Config_Home \
    radio-mac=xx:xx:xx:xx:xx:xx
add comment=RED disabled=yes master-configuration=Config_Security radio-mac=\
    xx:xx:xx:xx:xx:xx
/interface bridge port
add bridge=Local_Bridge interface=ether2
add bridge=Local_Bridge interface=ether3
add bridge=Local_Bridge interface=ether4 pvid=40
add bridge=Local_Bridge interface=ether5 pvid=50
add bridge=Local_Bridge interface=sfp1
/interface bridge vlan
add bridge=Local_Bridge tagged=Local_Bridge,ether5,ether4 vlan-ids=30
add bridge=Local_Bridge tagged=Local_Bridge,ether4,ether5 vlan-ids=40
add bridge=Local_Bridge tagged=Local_Bridge,ether4 vlan-ids=50
add bridge=Local_Bridge tagged=Local_Bridge,ether4 vlan-ids=60
add bridge=Local_Bridge tagged=Local_Bridge,ether4 vlan-ids=70
/interface list member
add interface=ether1 list=WAN
add interface=Local_Bridge list=LAN
/ip address
add address=192.168.100.1/24 interface=ether2 network=192.168.100.0
add address=192.168.22.254/24 interface=VLAN_Home network=192.168.22.0
add address=192.168.1.1/24 interface=VLAN_SECURITY network=192.168.1.0
add address=192.168.253.254 interface=VLAN_TV network=192.168.253.0
add address=192.168.254.254/24 interface=VLAN_IOT network=192.168.254.0
add address=192.168.9.254/24 interface=VLAN_GUEST network=192.168.9.0
add address=10.8.12.254/24 interface=VLAN_MGMT network=10.8.12.0
/ip dhcp-client
add disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=192.168.1.1 gateway=192.168.1.1
add address=192.168.9.0/24 dns-server=192.168.22.254 gateway=192.168.9.254
add address=192.168.100.0/24 gateway=192.168.100.1 netmask=24
add address=192.168.22.0/24 dns-server=192.168.22.254 domain=Annwn gateway=\
    192.168.22.254
add address=192.168.253.0/24 dns-server=192.168.22.254 gateway=192.168.253.254
add address=192.168.254.0/24 dns-server=192.168.22.254 gateway=192.168.254.254
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/system clock
set time-zone-name=America/New_York
/system identity
set name=Mikrotik
/system ntp client
set enabled=yes

mkx · November 30, 2020, 8:05am

And that NAT rule is not shown in the config you posted. So either you don’t have it or you did not post whole config (and then it’s hard to tell what could be wrong).

BTW (just to be quicker than @anav):

/ip address
add address=192.168.100.1/24 interface=> LocalBridge > network=192.168.100.0

L3 setup should to to bridge interface, not to member port. And I’d ditch the “native” VLAN1 and go all-vlan setup, it’s much cleaner that way.

Pisanisavich · November 30, 2020, 2:54pm

@mkvx Thanks for answering so fast.

I ditched the Native VLAN Setup. And set 192.168.100.1/24 to Local Bridge.

# nov/30/2020 09:46:38 by RouterOS 6.47.2
# software id = xxxxx
#
# model = 960PGS
# serial number = xxxx
/interface bridge
add name=Local_Bridge pvid=50 vlan-filtering=yes
/interface vlan
add interface=Local_Bridge name=VLAN_GUEST vlan-id=70
add interface=Local_Bridge name=VLAN_Home vlan-id=40
add interface=Local_Bridge name=VLAN_IOT vlan-id=60
add interface=Local_Bridge name=VLAN_MGMT vlan-id=24
add interface=Local_Bridge name=VLAN_SECURITY vlan-id=30
add interface=Local_Bridge name=VLAN_TV vlan-id=50
/caps-man security
add authentication-types=wpa2-psk encryption=aes-ccm name=Local passphrase=123456789
add authentication-types=wpa2-psk encryption=aes-ccm name=Guest passphrase=123456789
add authentication-types=wpa2-psk encryption=aes-ccm name=IOT_Sec passphrase=123456789
add authentication-types=wpa2-psk encryption=aes-ccm name=TV_Sec passphrase=123456789
add authentication-types=wpa2-psk encryption=aes-ccm name="IP_Cam_Sec " passphrase=123456789
add authentication-types=wpa2-psk encryption=aes-ccm name=RWC_Security passphrase=123456789
add authentication-types=wpa2-psk encryption=aes-ccm name=Home_Sec passphrase=123456789
/caps-man configuration
add country="united states" datapath.local-forwarding=yes datapath.vlan-id=40 datapath.vlan-mode=no-tag name=Config_Home security=\
    Home_Sec ssid=Home
add country="united states" datapath.local-forwarding=yes datapath.vlan-id=70 datapath.vlan-mode=use-tag name=Config_GUEST \
    security=Guest ssid=Home_Guest
add country="united states" datapath.local-forwarding=yes datapath.vlan-id=30 datapath.vlan-mode=use-tag hide-ssid=yes name=\
    Config_Security security="IP_Cam_Sec " ssid=Security
add country="united states" datapath.local-forwarding=yes datapath.vlan-id=50 datapath.vlan-mode=use-tag hide-ssid=yes name=\
    Config_TV security=TV_Sec ssid=TV
add country="united states" datapath.local-forwarding=yes datapath.vlan-id=60 datapath.vlan-mode=use-tag hide-ssid=yes name=\
    Config_IOT security=IOT_Sec ssid=IOT
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp ranges=192.168.100.10-192.168.100.20
add name=Homel_Pool ranges=192.168.22.1-192.168.22.30
add name=GuestPool ranges=192.168.1.2-192.168.1.43
add name=IOT_Pool ranges=19.168.8.1-192.168.8.50
add name=L2TP_Pool ranges=192.168.22.50-192.168.22.60
add name=TV_pool ranges=192.168.253.1-192.168.253.25
add name=Security_Pool ranges=192.168.1.2-192.168.1.20
add name=dhcp_pool7 ranges=10.8.12.1-10.8.12.253
/ip dhcp-server
add address-pool=dhcp disabled=no interface=Local_Bridge lease-time=2m name=dhcp1
add address-pool=Homel_Pool disabled=no interface=VLAN_Home lease-time=2m name=dhcp_Home
add address-pool=GuestPool disabled=no interface=VLAN_GUEST lease-time=2m name=dhcp_Guest
add address-pool=IOT_Pool disabled=no interface=VLAN_IOT name=dhcp_IOT
add address-pool=TV_pool disabled=no interface=VLAN_TV name=dhcp_TV
add address-pool=Security_Pool disabled=no interface=VLAN_SECURITY name=dhcp_Security
add address-pool=dhcp_pool7 disabled=no interface=VLAN_MGMT name=dhcp2
/user group
set full policy=local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff,sensitive,api,romon,dude,tikapp
/caps-man manager
set ca-certificate=auto certificate=auto enabled=yes
/caps-man provisioning
add action=create-dynamic-enabled disabled=yes master-configuration=Config_Home slave-configurations=\
    Config_GUEST,Config_IOT,Config_Security,Config_TV
/interface bridge port
add bridge=Local_Bridge interface=ether2
add bridge=Local_Bridge interface=ether3 pvid=24
add bridge=Local_Bridge interface=ether4 pvid=40
add bridge=Local_Bridge interface=ether5 pvid=50
add bridge=Local_Bridge interface=sfp1
/interface bridge vlan
add bridge=Local_Bridge tagged=Local_Bridge,ether5,ether4 vlan-ids=30
add bridge=Local_Bridge tagged=Local_Bridge,ether4,ether5 vlan-ids=40
add bridge=Local_Bridge tagged=Local_Bridge,ether4 vlan-ids=50
add bridge=Local_Bridge tagged=Local_Bridge,ether4 vlan-ids=60
add bridge=Local_Bridge tagged=Local_Bridge,ether4 vlan-ids=70
add bridge=Local_Bridge tagged=Local_Bridge vlan-ids=24
/interface list member
add interface=ether1 list=WAN
add interface=Local_Bridge list=LAN
/ip address
add address=192.168.100.1/24 interface=Local_Bridge network=192.168.100.0
add address=192.168.22.254/24 interface=VLAN_Home network=192.168.22.0
add address=192.168.1.1/24 interface=VLAN_SECURITY network=192.168.1.0
add address=192.168.253.254 interface=VLAN_TV network=192.168.253.0
add address=192.168.254.254/24 interface=VLAN_IOT network=192.168.254.0
add address=192.168.9.254/24 interface=VLAN_GUEST network=192.168.9.0
add address=10.8.12.254/24 interface=VLAN_MGMT network=10.8.12.0
/ip dhcp-client
add disabled=no interface=ether1
/ip dhcp-server network
add address=10.8.12.0/24 dns-server=10.8.12.254 gateway=10.8.12.254
add address=192.168.1.0/24 dns-server=192.168.1.1 gateway=192.168.1.1
add address=192.168.9.0/24 dns-server=192.168.22.254 gateway=192.168.9.254
add address=192.168.22.0/24 dns-server=192.168.22.254 gateway=192.168.22.254
add address=192.168.100.0/24 gateway=192.168.100.1 netmask=24
add address=192.168.253.0/24 dns-server=192.168.22.254 gateway=192.168.253.254
add address=192.168.254.0/24 dns-server=192.168.22.254 gateway=192.168.254.254
/ip firewall nat
add action=accept chain=srcnat comment="defconf: accept all that matches IPSec policy" disabled=yes ipsec-policy=in,ipsec
add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface-list=WAN
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/system clock
set time-zone-name=America/New_York
/system identity
set name=Home
/system ntp client
set enabled=yes
[Admin@Home] >

mkx · November 30, 2020, 7:30pm

These two settings are not compatible:

/interface bridge
add name=Local_Bridge > pvid=50 > vlan-filtering=yes
/interface bridge vlan
add bridge=Local_Bridge > tagged=Local_Bridge> ,ether4 > vlan-ids=50

\

the next one adds to confusion

/interface vlan
add interface=Local_Bridge name=VLAN_TV vlan-id=50

One thing which one has to keep in mind: bridge has two personalities:

something like a switch (with vlan-filterong=yes even “smart” switch), forwarding frames between member ports
an interface, which connects bridge (like a switch) with CPU. It gets created implicitly and is member port of the switch-like entity. Acts pretty similar to other ports.

When setting pvid on bridge (the first comand in quote above) declares that bridge interface should be untagged member of VLAN 50. The second quoted command then overrides this definition declaring it as tagged member of VLAN 50. Untagged interface has IP address 192.168.100.1 and it can actually inject frames into VLAN 50 (due to pvid set) but probably won’t get any frame back (due to interface being declared as tagged). Then there’s VLAN_TV with IP address 192.168.253.254 which will receive the frames targeting 192.168.100.1 … but can both send and receive frames to/from VLAN 50.

You’ll have to think about what you want to do with VLAN 50 …

To return to your problem: how are your clients connected to the router while they can’t use internet? Which particular VLAN? If CAPsMAN controlled AP, where is it connected?

anav · November 30, 2020, 9:14pm

Unlike my good friend MKX, I would not comment on the rest or help until you protected your router from the internet via firewall rules.

Pisanisavich · December 1, 2020, 4:03am

I am connecting via direct ethernet connection and CAPsMAN configured individual AP’s for each vlan / wireless network. each is a switch for some or all of the VLANs. ie. sw1(960PGS) Gateway. Port 5 Trunks to Eth1 (10.8.12.253) on sw2(951). All Vlans. Also connecting to port 3 untagged vlan 40, 30,50… with my laptop. I can get an address via DHCP. vlan 1 (192.168.100.0/24)is the only vlan that can connect to the internet.

I have added my firewall setup. …I had removed it, to eliminate it from the equation. I am trying to learn but hit a wall with VLANs.

Model = 960PGS
# serial number = 
/interface bridge
add name=Local_Bridge pvid=50 vlan-filtering=yes
/interface vlan
add interface=Local_Bridge name=VLAN_GUEST vlan-id=70
add interface=Local_Bridge name=VLAN_Home vlan-id=40
add interface=Local_Bridge name=VLAN_IOT vlan-id=60
add interface=Local_Bridge name=VLAN_MGMT vlan-id=24
add interface=Local_Bridge name=VLAN_SECURITY vlan-id=30
add interface=Local_Bridge name=VLAN_TV vlan-id=50
/caps-man security
add authentication-types=wpa2-psk encryption=aes-ccm name=Local passphrase=123456789
add authentication-types=wpa2-psk encryption=aes-ccm name=Guest passphrase=123456789
add authentication-types=wpa2-psk encryption=aes-ccm name=IOT_Sec passphrase=123456789
add authentication-types=wpa2-psk encryption=aes-ccm name=TV_Sec passphrase=123456789
add authentication-types=wpa2-psk encryption=aes-ccm name="IP_Cam_Sec " passphrase=123456789
add authentication-types=wpa2-psk encryption=aes-ccm name=RWC_Security passphrase=123456789
add authentication-types=wpa2-psk encryption=aes-ccm name=Home_Sec passphrase=123456789
/caps-man configuration
add country="united states" datapath.local-forwarding=yes datapath.vlan-id=40 datapath.vlan-mode=no-tag name=Config_Home security=\
    Home_Sec ssid=Home
add country="united states" datapath.local-forwarding=yes datapath.vlan-id=70 datapath.vlan-mode=use-tag name=Config_GUEST \
    security=Guest ssid=Home_Guest
add country="united states" datapath.local-forwarding=yes datapath.vlan-id=30 datapath.vlan-mode=use-tag hide-ssid=yes name=\
    Config_Security security="IP_Cam_Sec " ssid=Security
add country="united states" datapath.local-forwarding=yes datapath.vlan-id=50 datapath.vlan-mode=use-tag hide-ssid=yes name=\
    Config_TV security=TV_Sec ssid=TV
add country="united states" datapath.local-forwarding=yes datapath.vlan-id=60 datapath.vlan-mode=use-tag hide-ssid=yes name=\
    Config_IOT security=IOT_Sec ssid=IOT
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp ranges=192.168.100.10-192.168.100.20
add name=Homel_Pool ranges=192.168.22.1-192.168.22.30
add name=GuestPool ranges=192.168.1.2-192.168.1.43
add name=IOT_Pool ranges=19.168.8.1-192.168.8.50
add name=L2TP_Pool ranges=192.168.22.50-192.168.22.60
add name=TV_pool ranges=192.168.253.1-192.168.253.25
add name=Security_Pool ranges=192.168.1.2-192.168.1.20
add name=dhcp_pool7 ranges=10.8.12.1-10.8.12.253
/ip dhcp-server
add address-pool=dhcp disabled=no interface=Local_Bridge lease-time=2m name=dhcp1
add address-pool=Homel_Pool disabled=no interface=VLAN_Home lease-time=2m name=dhcp_Home
add address-pool=GuestPool disabled=no interface=VLAN_GUEST lease-time=2m name=dhcp_Guest
add address-pool=IOT_Pool disabled=no interface=VLAN_IOT name=dhcp_IOT
add address-pool=TV_pool disabled=no interface=VLAN_TV name=dhcp_TV
add address-pool=Security_Pool disabled=no interface=VLAN_SECURITY name=dhcp_Security
add address-pool=dhcp_pool7 disabled=no interface=VLAN_MGMT name=dhcp2
/user group
set full policy=local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff,sensitive,api,romon,dude,tikapp
/caps-man manager
set ca-certificate=auto certificate=auto enabled=yes
/caps-man provisioning
add action=create-dynamic-enabled disabled=yes master-configuration=Config_Home slave-configurations=\
    Config_GUEST,Config_IOT,Config_Security,Config_TV
/interface bridge port
add bridge=Local_Bridge interface=ether2
add bridge=Local_Bridge interface=ether3 pvid=24
add bridge=Local_Bridge interface=ether4 pvid=40
add bridge=Local_Bridge interface=ether5 pvid=50
add bridge=Local_Bridge interface=sfp1
/interface bridge vlan
add bridge=Local_Bridge tagged=Local_Bridge,ether5,ether4 vlan-ids=30
add bridge=Local_Bridge tagged=Local_Bridge,ether4,ether5 vlan-ids=40
add bridge=Local_Bridge tagged=Local_Bridge,ether4 vlan-ids=50
add bridge=Local_Bridge tagged=Local_Bridge,ether4 vlan-ids=60
add bridge=Local_Bridge tagged=Local_Bridge,ether4 vlan-ids=70
add bridge=Local_Bridge tagged=Local_Bridge vlan-ids=24
/interface list member
add interface=ether1 list=WAN
add interface=Local_Bridge list=LAN
/ip address
add address=192.168.100.1/24 interface=Local_Bridge network=192.168.100.0
add address=192.168.22.254/24 interface=VLAN_Home network=192.168.22.0
add address=192.168.1.1/24 interface=VLAN_SECURITY network=192.168.1.0
add address=192.168.253.254/24 interface=VLAN_TV network=192.168.253.0
add address=192.168.254.254/24 interface=VLAN_IOT network=192.168.254.0
add address=192.168.9.254/24 interface=VLAN_GUEST network=192.168.9.0
add address=10.8.12.254/24 interface=VLAN_MGMT network=10.8.12.0
/ip dhcp-client
add disabled=no interface=ether1
/ip dhcp-server network
add address=10.8.12.0/24 dns-server=10.8.12.254 gateway=10.8.12.254
add address=192.168.1.0/24 dns-server=192.168.1.1 gateway=192.168.1.1
add address=192.168.9.0/24 dns-server=192.168.22.254 gateway=192.168.9.254
add address=192.168.22.0/24 dns-server=192.168.22.254 domain=Annwn gateway=192.168.22.254
add address=192.168.100.0/24 gateway=192.168.100.1 netmask=24
add address=192.168.253.0/24 dns-server=208.67.22.22 gateway=192.168.253.254
add address=192.168.254.0/24 dns-server=192.168.22.254 gateway=192.168.254.254
/ip firewall address-list
add address=0.0.0.0/8 comment="defconf: RFC6890" list=no_forward_ipv4
add address=169.254.0.0/16 comment="defconf: RFC6890" list=no_forward_ipv4
add address=224.0.0.0/4 comment="defconf: multicast" list=no_forward_ipv4
add address=255.255.255.255 comment="defconf: RFC6890" list=no_forward_ipv4
add address=127.0.0.0/8 comment="defconf: RFC6890" list=bad_ipv4
add address=192.0.0.0/24 comment="defconf: RFC6890" list=bad_ipv4
add address=192.0.2.0/24 comment="defconf: RFC6890 documentation" list=bad_ipv4
add address=198.51.100.0/24 comment="defconf: RFC6890 documentation" list=bad_ipv4
add address=203.0.113.0/24 comment="defconf: RFC6890 documentation" list=bad_ipv4
add address=240.0.0.0/4 comment="defconf: RFC6890 reserved" list=bad_ipv4
add address=0.0.0.0/8 comment="defconf: RFC6890" list=not_global_ipv4
add address=10.0.0.0/8 comment="defconf: RFC6890" list=not_global_ipv4
add address=100.64.0.0/10 comment="defconf: RFC6890" list=not_global_ipv4
add address=169.254.0.0/16 comment="defconf: RFC6890" list=not_global_ipv4
add address=172.16.0.0/12 comment="defconf: RFC6890" list=not_global_ipv4
add address=192.0.0.0/29 comment="defconf: RFC6890" list=not_global_ipv4
add address=192.168.0.0/16 comment="defconf: RFC6890" list=not_global_ipv4
add address=198.18.0.0/15 comment="defconf: RFC6890 benchmark" list=not_global_ipv4
add address=255.255.255.255 comment="defconf: RFC6890" list=not_global_ipv4
add address=224.0.0.0/4 comment="defconf: multicast" list=bad_src_ipv4
add address=255.255.255.255 comment="defconf: RFC6890" list=bad_src_ipv4
add address=0.0.0.0/8 comment="defconf: RFC6890" list=bad_dst_ipv4
add address=224.0.0.0/4 comment="defconf: RFC6890" list=bad_dst_ipv4
/ip firewall filter
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment=\
    "Port scanners to list " protocol=tcp psd=21,3s,3,1
add action=accept chain=input comment="defconf: accept ICMP after RAW" protocol=icmp
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept all that matches IPSec policy" disabled=yes ipsec-policy=in,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new \
    in-interface-list=WAN
add action=drop chain=forward comment="defconf: drop bad forward IPs" src-address-list=no_forward_ipv4
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=forward comment=\
    "Port scanners to list " disabled=yes protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="NMAP FIN Stealth scan" \
    protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=forward comment=\
    "NMAP FIN Stealth scan" disabled=yes protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="SYN/FIN scan" \
    protocol=tcp tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=forward comment="SYN/FIN scan" \
    disabled=yes protocol=tcp tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="SYN/RST scan" \
    protocol=tcp tcp-flags=syn,rst
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=forward comment="SYN/RST scan" \
    disabled=yes protocol=tcp tcp-flags=syn,rst
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="FIN/PSH/URG scan" \
    protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=forward comment="FIN/PSH/URG scan" \
    disabled=yes protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="ALL/ALL scan" \
    protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=forward comment="ALL/ALL scan" \
    disabled=yes protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="NMAP NULL scan" \
    protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=forward comment="NMAP NULL scan" \
    disabled=yes protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=input comment="dropping port scanners" src-address-list="port scanners"
add action=drop chain=forward comment="dropping port scanners" src-address-list="port scanners"
add action=drop chain=input
/ip firewall nat
add action=accept chain=srcnat comment="defconf: accept all that matches IPSec policy" disabled=yes ipsec-policy=in,ipsec
add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface-list=WAN
/ip firewall raw
add action=drop chain=prerouting in-interface=ether1 protocol=icmp
add action=drop chain=prerouting in-interface=ether1 src-address-list="port scanners"
add action=accept chain=prerouting comment="defconf: enable for transparent firewall" disabled=yes
add action=accept chain=prerouting comment="defconf: accept DHCP discover" dst-address=255.255.255.255 dst-port=67 \
    in-interface-list=LAN protocol=udp src-address=0.0.0.0 src-port=68
add action=drop chain=prerouting comment="defconf: drop bogon IP's" src-address-list=bad_ipv4
add action=drop chain=prerouting comment="defconf: drop bogon IP's" dst-address-list=bad_ipv4
add action=drop chain=prerouting comment="defconf: drop bogon IP's" src-address-list=bad_src_ipv4
add action=drop chain=prerouting comment="defconf: drop bogon IP's" dst-address-list=bad_dst_ipv4
add action=drop chain=prerouting comment="defconf: drop non global from WAN" in-interface-list=WAN src-address-list=not_global_ipv4
add action=drop chain=prerouting comment="defconf: drop forward to local lan from WAN" disabled=yes dst-address=192.168.88.0/24 \
    in-interface-list=WAN
add action=drop chain=prerouting comment="defconf: drop forward to local lan from WAN" disabled=yes dst-address=192.168.1.0/24 \
    in-interface-list=WAN
add action=drop chain=prerouting comment="defconf: drop local if not from default IP range" disabled=yes in-interface-list=LAN \
    src-address=!192.168.1.0/24
add action=drop chain=prerouting comment="defconf: drop local if not from default IP range" disabled=yes in-interface-list=LAN \
    src-address=!192.168.9.0/24
add action=drop chain=prerouting comment="defconf: drop local if not from default IP range" disabled=yes in-interface-list=LAN \
    src-address=!192.168.22.0/24
add action=drop chain=prerouting comment="defconf: drop local if not from default IP range" disabled=yes in-interface-list=LAN \
    src-address=!192.168.88.0/24
add action=drop chain=prerouting comment="defconf: drop local if not from default IP range" disabled=yes in-interface-list=LAN \
    src-address=!192.168.100.0/24
add action=drop chain=prerouting comment="defconf: drop local if not from default IP range" disabled=yes in-interface-list=LAN \
    src-address=!192.168.253.0/24
add action=drop chain=prerouting comment="defconf: drop local if not from default IP range" disabled=yes in-interface-list=LAN \
    src-address=!192.168.254.0/24
add action=drop chain=prerouting comment="defconf: drop bad UDP" port=0 protocol=udp
add action=jump chain=prerouting comment="defconf: jump to ICMP chain" jump-target=icmp4 protocol=icmp
add action=jump chain=prerouting comment="defconf: jump to TCP chain" jump-target=bad_tcp protocol=tcp
add action=accept chain=prerouting comment="defconf: accept everything else from LAN" in-interface-list=LAN
add action=accept chain=prerouting comment="defconf: accept everything else from WAN" in-interface-list=WAN
add action=drop chain=prerouting comment="defconf: drop the rest"
add action=drop chain=bad_tcp comment="defconf: TCP flag filter" protocol=tcp tcp-flags=!fin,!syn,!rst,!ack
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,syn
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,rst
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,!ack
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,urg
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=syn,rst
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=rst,urg
add action=drop chain=bad_tcp comment="defconf: TCP port 0 drop" port=0 protocol=tcp
add action=accept chain=icmp4 comment="defconf: echo reply" icmp-options=0:0 limit=5,10:packet protocol=icmp
add action=accept chain=icmp4 comment="defconf: net unreachable" icmp-options=3:0 protocol=icmp
add action=accept chain=icmp4 comment="defconf: host unreachable" icmp-options=3:1 protocol=icmp
add action=accept chain=icmp4 comment="defconf: protocol unreachable" icmp-options=3:2 protocol=icmp
add action=accept chain=icmp4 comment="defconf: port unreachable" icmp-options=3:3 protocol=icmp
add action=accept chain=icmp4 comment="defconf: fragmentation needed" icmp-options=3:4 protocol=icmp
add action=drop chain=icmp4 comment="defconf: echo" icmp-options=8:0 limit=5,10:packet protocol=icmp
add action=accept chain=icmp4 comment="defconf: time exceeded " icmp-options=11:0-255 protocol=icmp
add action=drop chain=icmp4 comment="defconf: drop other icmp" protocol=icmp
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/system clock
set time-zone-name=America/New_York
/system identity
set name=Home
/system ntp client
set enabled=yes

erlinden · December 1, 2020, 8:06am

I thought that the pvid on the bridge could be left set to 1, not sure if it is of any influence?
Could you please add tags (with square brackets) to make your config more readable?

Are you familiar with this topic:
http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1

anav · December 1, 2020, 1:33pm

I need clarity on the number of vlans and dhcp servers.
I see originally 5 vlans and in the latest config 6 vlans and also 7 pools?

Local bridge should have default vlan setting of 1, NOT 50!
Guest pool should be a different subnet then Security Pool

Remove any role of bridge of applying DHCP for an interface, if you need another vlan create it.

Your config is too hosed to work on at the moment due to the volume of errors as noted you need to clean up your vlans as they are incorrectly configured when it comes to bridge ports and bridge vlans. You really need to read this ref: http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1

As for your firewall, the only address list of statically assigned IPs, you need is for admin access at least to start
Get rid of raw and I see duplication in your NAT config part too…

/ip firewall address-list
add address=IPadmindesktop list=adminaccess
add address=IPadminlaptop list=adminaccess
add address=IPadminipad list=adminaccess

/ip firewall filter

add action=accept chain=input protocol=icmp
add action=accept chain=input comment=“defconf: accept established,related,untracked” connection-state=
established,related,untracked
add action=drop chain=input comment=“defconf: drop invalid” connection-state=invalid
add action=accept chain=input protocol=icmp
add action=accept chain=input in-interface=vlan_mgmt src-address-list=adminaccess [only admin should be able to fully access the router]
add action=accept chain=input in-interface-list=LAN (TCP/UDP) dst-port=53 (only provide access to lan users for specific services, most common -DNS SERVICES, NTP services)
***** Whatever rules you need for ipsec L2TP?? *****
add action=drop chain=input comment=“drop all else” (caution put in this rule only when admin access rules are in place!!)

add action=accept chain=forward comment=“defconf: accept all that matches IPSec policy” disabled=yes ipsec-policy=in,ipsec
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack” connection-state=established,related
add action=accept chain=forward comment=“defconf: accept established,related, untracked” connection-state=
established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid” connection-state=invalid
add action=accept chain=forward comment=“allow port forwarding” \ (optional rule can be disabled if no port forwarding is used)
connection-nat-state=dstnat connection-state=new in-interface-list=WAN

add action=drop chain=input comment=“drop all else”

Note: *********** Is where you put all the admin rules for traffic you wish to permit
ex… allow specific VLANS or entire LAN to internet
ex allow VLAN access to a shared printer in another VLAN
ex. allow admin access to all VLANS.

CZFan · December 1, 2020, 9:01pm

I really wanted to help here, but sorry, my pc’s mouse scroll wheel seized while looking through this post

anav · December 1, 2020, 10:21pm

So many accreditations but only the MTUNA gives you stamina!!!
Have a glass of warm milk (with brandy allowed) and go to bed, you must be tired.

Pisanisavich · December 2, 2020, 4:30pm

I will work on getting it cleaned up. Thanks for all the help! I will read the suggested threads and update tonight.

@erlinden Thanks for the heads up on tags

@erlinden and @anav I don’t know how to open .rsc files so I can not look at the examples. I have read the article. will read again.

I followed wiki.mikrotik.com/wiki/Manual:CAPsMAN_with_VLANs for my guide when setting up.

@anav thanks for the firewall setup. I will reconfig and update tonight. Why get rid of raw? when I had my previous firewall in place with fasttrack enabled I was not getting full bandwidth. 200 vs 400. I followed help.mikrotik.com/docs/display/ROS/Building+Advanced+Firewall to setup the new one.

VLAN_SECURITY 192.168.1.1/24 w/ DHCP
VLAN GUEST 192.168.9.254/24 w/DHCP
1VLAN_Home 192.168.22.254/24 w/DHCP
VLAN_TV 192.168.253.254/24 w/DHCP
VLAN_IOT 192.168.254.254/24 w/DHCP
VLAN_MGMT 10.8.12.254/24 no DHCP
*Down the road if possible VLAN over SSTP to Office? Office network 192.168.44.0/24

Adress assigned to each switch for management.
10.8.12.254. (960PGS)
10.8.12.253 (951G)
10.8.12.252 (CRS109-8G-1s-2HnD)
10.8.12.251 (941-2nD)
10.8.12.250 (RB2011)
10.8.12.249 (WAP)

I would like nothing on the local bridge so if you plug into an ethernet jack not assigned as untagged vlan you do not see anything (DHCP, Packets,..)

Thanks again for the help.

anav · December 2, 2020, 5:57pm

You dont need raw! It will get someone who doesnt understand ROS into trouble very quickly.

.rsc files. are easily opened most use a wonderful program called Notepad ++

Correct, if you do not want anything assigned on a bridge dont put dhcp on the bridge, only on each vlan.
Thus the port will be on the bridge but if not assigned a vlan there should be no traffic on that port.

Pisanisavich · December 7, 2020, 8:37pm

@anav, @mkx, @erlinden. Thanks for all the help and constructive coaching! It works!!! Next step is to work on my firewall and set up a VLAN over SSTP connection. Do you recommend the Learn RouterOS Book?

# dec/06/2020 21:11:42 by RouterOS 6.47.2

#
# model = 960PGS
# serial number = 
/interface bridge
add name=BR1 protocol-mode=none
/interface vlan
add interface=BR1 name=GUEST_VLAN vlan-id=50
add interface=BR1 name=HOME_VLAN vlan-id=40
add interface=BR1 name=IOT_VLAN vlan-id=70
add interface=BR1 name=MGMT_VLAN vlan-id=24
add interface=BR1 name=SECURITY_VLAN vlan-id=30
add interface=BR1 name=TV_VLAN vlan-id=60
/caps-man security
add authentication-types=wpa2-psk encryption=aes-ccm name=Local passphrase=123456789
add authentication-types=wpa2-psk encryption=aes-ccm name=Guest passphrase=123456789
add authentication-types=wpa2-psk encryption=aes-ccm name=IOT_Sec passphrase=123456789
add authentication-types=wpa2-psk encryption=aes-ccm name=TV_Sec passphrase=123456789
add authentication-types=wpa2-psk encryption=aes-ccm name="IP_Cam_Sec " passphrase=123456789
add authentication-types=wpa2-psk encryption=aes-ccm name=Home_Sec passphrase=12345678
/caps-man configuration
add country="united states" datapath.local-forwarding=yes datapath.vlan-id=30 datapath.vlan-mode=use-tag hide-ssid=yes \
    name=Config_Security security=Local ssid=Security
add country="united states" datapath.local-forwarding=yes datapath.vlan-id=60 datapath.vlan-mode=use-tag hide-ssid=yes \
    name=Config_TV security=Local ssid=TV
add country="united states" datapath.local-forwarding=yes datapath.vlan-id=40 datapath.vlan-mode=use-tag name=\
    Config_Home security=Home_Sec ssid=Home
add country="united states" datapath.local-forwarding=yes datapath.vlan-id=70 datapath.vlan-mode=use-tag name=\
    Config_GUEST security=Guest ssid=Home_Guest
add country="united states" datapath.local-forwarding=yes datapath.vlan-id=70 datapath.vlan-mode=use-tag hide-ssid=yes \
    name=Config_IOT security=IOT_Sec ssid=IOT
/caps-man interface
add configuration=Config_TV disabled=no l2mtu=1600 mac-address=AB:3F:58:05:60:37 master-interface=none name=cap1 \
    radio-mac=AB:3F:58:05:60:37 radio-name=AB3F58056037
add configuration=Config_Home disabled=no l2mtu=1600 mac-address=04:B9:21:5E:5A:AF master-interface=none name=cap2 \
    radio-mac=04:B9:21:5E:5A:AF radio-name=04B9215E5AAF
/interface list
add name=WAN
add name=VLAN
add name=MGMT
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=SECURITY_POOL ranges=192.168.1.2-192.168.1.50
add name=HOME_POOL ranges=192.168.22.1-192.168.22.100
add name=GUEST_POOL ranges=192.168.9.2-192.168.9.100
add name=TV_POOL ranges=192.168.253.2-192.168.253.100
add name=IOT_POOL ranges=192.168.254.2-192.168.254.100
add name=MGMT_POOL ranges=10.8.12.100-10.8.12.120
/ip dhcp-server
add address-pool=SECURITY_POOL disabled=no interface=SECURITY_VLAN name=SECURITY_DHCP
add address-pool=HOME_POOL disabled=no interface=HOME_VLAN name=HOME_DHCP
add address-pool=GUEST_POOL disabled=no interface=GUEST_VLAN name=GUEST_DHCP
add address-pool=TV_POOL disabled=no interface=TV_VLAN name=TV_DHCP
add address-pool=IOT_POOL disabled=no interface=IOT_VLAN name=IOT_DHCP
add address-pool=MGMT_POOL disabled=no interface=MGMT_VLAN name=MGMT_DHCP
/user group
set full policy=\
    local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff,sensitive,api,romon,dude,tikapp
/caps-man manager
set ca-certificate=auto certificate=auto enabled=yes
/caps-man provisioning
add action=create-dynamic-enabled disabled=yes master-configuration=Config_Home slave-configurations=\
    Config_GUEST,Config_Security,Config_IOT,Config_TV
add comment=951 master-configuration=Config_TV radio-mac=AB:3F:58:05:60:37
add comment=Home master-configuration=Config_Home radio-mac=04:B9:21:5E:5A:AF
/interface bridge port
add bridge=BR1 frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=ether2
add bridge=BR1 frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=ether3
add bridge=BR1 frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=ether4
add bridge=BR1 frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=ether5
add bridge=BR1 frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=sfp1
/interface bridge vlan
add bridge=BR1 tagged=BR1,ether2,ether3,ether4,ether5,sfp1 vlan-ids=30
add bridge=BR1 tagged=BR1,ether2,ether3,ether4,ether5,sfp1 vlan-ids=40
add bridge=BR1 tagged=BR1,ether2,ether3,ether4,ether5,sfp1 vlan-ids=50
add bridge=BR1 tagged=BR1,ether2,ether3,ether4,ether5,sfp1 vlan-ids=60
add bridge=BR1 tagged=BR1,ether2,ether3,ether4,ether5,sfp1 vlan-ids=70
add bridge=BR1 tagged=BR1,ether2,ether3,ether4,ether5,sfp1 vlan-ids=24
/interface list member
add interface=ether1 list=WAN
add interface=GUEST_VLAN list=VLAN
add interface=HOME_VLAN list=VLAN
add interface=IOT_VLAN list=VLAN
add interface=MGMT_VLAN list=VLAN
add interface=SECURITY_VLAN list=VLAN
add interface=TV_VLAN list=VLAN
add interface=MGMT_VLAN list=MGMT
/ip address
add address=10.8.12.254/24 interface=MGMT_VLAN network=10.8.12.0
add address=192.168.1.1/24 interface=SECURITY_VLAN network=192.168.1.0
add address=192.168.22.254/24 interface=HOME_VLAN network=192.168.22.0
add address=192.168.9.254/24 interface=GUEST_VLAN network=192.168.9.0
add address=192.168.253.254/24 interface=TV_VLAN network=192.168.253.0
add address=192.168.254.254/24 interface=IOT_VLAN network=192.168.254.0
/ip dhcp-client
add !dhcp-options disabled=no interface=ether1 use-peer-dns=no use-peer-ntp=no
/ip dhcp-server lease
add address=192.168.22.200 client-id=1:6b:35:48:1c:45:41 mac-address=6B:35:48:1C:45:41 server=HOME_DHCP
add address=192.168.254.100 client-id=1:38:4b:1b:07:ab:e1 mac-address=38:4B:1B:07:AB:E1 server=IOT_DHCP
/ip dhcp-server network
add address=10.8.12.0/24 dns-server=10.8.12.254 gateway=10.8.12.254
add address=192.168.1.0/24 dns-server=10.8.12.254 gateway=192.168.1.254
add address=192.168.9.0/24 dns-server=10.8.12.254 gateway=192.168.9.254
add address=192.168.22.0/24 dns-server=10.8.12.254 gateway=192.168.22.254
add address=192.168.253.0/24 dns-server=10.8.12.254 gateway=192.168.253.254
add address=192.168.254.0/24 dns-server=10.8.12.254 gateway=192.168.254.254
/ip dns
set allow-remote-requests=yes servers=208.67.220.220,208.67.22.22
/ip firewall address-list
add address=192.168.22.150 list=adminaccess
add address=192.168.22.100 list=adminaccess
/ip firewall filter
add action=drop chain=input in-interface-list=WAN src-address-list="Port Scanner"
add action=add-src-to-address-list address-list="Port Scanner" address-list-timeout=none-static chain=input comment=\
    "Port scanners to block List" in-interface-list=WAN protocol=tcp psd=20,3s,3,1 tcp-flags=""
add action=add-src-to-address-list address-list="Port Scanner" address-list-timeout=none-static chain=input comment=\
    "NMAP FIN Stealth scan" in-interface-list=WAN protocol=tcp psd=20,3s,3,1 tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="Port Scanner" address-list-timeout=none-static chain=input comment=\
    "SYN/FIN scan" in-interface-list=WAN protocol=tcp psd=20,3s,3,1 tcp-flags=fin,syn
add action=add-src-to-address-list address-list="Port Scanner" address-list-timeout=none-static chain=input comment=\
    "SYN/RST scan" in-interface-list=WAN protocol=tcp psd=20,3s,3,1 tcp-flags=syn,rst
add action=add-src-to-address-list address-list="Port Scanner" address-list-timeout=none-static chain=input comment=\
    "FIN/PSH/URG scan - Block TCP Null scan" in-interface-list=WAN protocol=tcp psd=20,3s,3,1 tcp-flags=\
    fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="Port Scanner" address-list-timeout=none-static chain=input comment=\
    "ALL/ALL scan" in-interface-list=WAN protocol=tcp psd=20,3s,3,1 tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="Port Scanner" address-list-timeout=none-static chain=input comment=\
    "Block TCP Xmas scan" in-interface-list=WAN protocol=tcp psd=20,3s,3,1 tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="Port Scanner" address-list-timeout=none-static chain=input comment=\
    "NMAP NULL scan" in-interface-list=WAN protocol=tcp psd=20,3s,3,1 tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="Port Scanner" address-list-timeout=none-static chain=input comment=\
    "Drop TCP RST" in-interface-list=WAN protocol=tcp psd=20,3s,3,1 tcp-flags=rst
add action=drop chain=input comment="dropping port scanners" in-interface-list=WAN src-address-list="Port Scanner"
add action=drop chain=input comment="Drop pings" connection-mark=ping in-interface-list=WAN
add action=accept chain=input protocol=icmp
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="only admin should be able to fully access the router" protocol=icmp
add action=accept chain=input comment=\
    "(only provide access to lan users for specific services, most common -DNS SERVICES, NTP services" dst-port=53 \
    in-interface-list=VLAN protocol=udp
add action=accept chain=input comment=\
    "(only provide access to lan users for specific services, most common -DNS SERVICES, NTP services" dst-port=8291 \
    in-interface-list=VLAN protocol=tcp
add action=accept chain=input comment="Allow MGMT_Vlan Full Access" in-interface=MGMT_VLAN
add action=drop chain=input comment="\"drop all else\"" disabled=yes
add action=accept chain=forward comment="defconf: accept all that matches IPSec policy" disabled=yes ipsec-policy=\
    in,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward comment=\
    "allow port forwarding - optional rule can be disabled if no port forwarding is used" connection-nat-state=dstnat \
    connection-state=new disabled=yes in-interface-list=WAN
add action=drop chain=forward comment="Block IOT out of WAN" in-interface=IOT_VLAN in-interface-list=WAN
add action=accept chain=forward comment="VLAN inter-VLAN routing" connection-state=new in-interface-list=VLAN \
    src-address=192.168.254.100
add action=accept chain=forward comment="Allow access to Server on HOME_VLAN" connection-state=new dst-port=8080 \
    in-interface-list=VLAN out-interface=HOME_VLAN protocol=tcp
add action=accept chain=forward comment="VLAN Internet Access only" connection-state=new in-interface-list=VLAN \
    out-interface-list=WAN
add action=drop chain=forward out-interface-list=WAN protocol=tcp src-address=192.168.9.2
add action=drop chain=forward comment="Drop all traffic that goes to multicast or broadcast addresses" dst-address-type=\
    broadcast,multicast
add action=drop chain=forward comment=Drop
add action=drop chain=input comment="drop all else"
/ip firewall nat
add action=masquerade chain=srcnat comment="Default masquerade" out-interface-list=WAN
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/ppp secret
add name=ppp1
/system clock
set time-zone-name=America/New_York
/system identity
set name=ROUTER
/system ntp client
set enabled=yes primary-ntp=129.6.15.30
[admin@ROUTER >

Thanks again!!