CAPsMAN VLAN guest network - No connection

RouterOS Beginner Basics
1

I have a problem with my guest network not working.

So far, when I used my own firewall rules, everything was fine, but when it turned out that my firewall was not that tight, I replaced my own rules with quite advanced rules developed by the mentor @anav. Unfortunately, since then my VLAN-based WLAN has not been working (no connection).

I am asking for help, because I am a new MT user and I actually don’t know where to look for the reason. I will only add that my WAN from the provider is on the local IP address.

Full router configuration:

RouterOS 7.14beta3
/interface bridge
add admin-mac=??? auto-mac=no comment=Main name=bridge \
    port-cost-mode=short vlan-filtering=yes
/interface vlan
add interface=bridge name=vlan322_iot vlan-id=322
add interface=bridge name=vlan433_guest vlan-id=433
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=Guest
add name="Smart Home"
/interface wifi channel
add band=2ghz-ax disabled=no frequency=2412,2437,2462 name=channel_24 width=\
    20/40mhz-Ce
add band=5ghz-ax disabled=no frequency=5180-5300 name=channel_50 \
    skip-dfs-channels=all width=20/40mhz-Ce
/interface wifi datapath
add bridge=bridge disabled=no name=datapath_main
add bridge=bridge client-isolation=yes disabled=no name=datapath_guest \
    vlan-id=433
/interface wifi security
add authentication-types=wpa2-psk disable-pmkid=no disabled=no encryption="" \
    ft=yes ft-over-ds=yes name="security_main 50" wps=disable
add authentication-types=wpa2-psk,wpa3-psk disable-pmkid=no disabled=no ft=\
    yes ft-over-ds=yes name=security_guest_50 wps=disable
add authentication-types=wpa2-psk disable-pmkid=no disabled=no ft=yes \
    ft-over-ds=yes name=secuirty_main_24 wps=disable
add authentication-types=wpa2-psk,wpa3-psk disable-pmkid=no disabled=no \
    encryption="" ft=yes ft-over-ds=yes name=secuirty_guest_24 wps=disable
/interface wifi configuration
add channel=channel_50 country=Poland datapath=datapath_main disabled=no \
    mode=ap name=wifi_50 security="security_main 50" ssid=Jakub
add channel=channel_50 country=Poland datapath=datapath_guest disabled=no \
    mode=ap name=wifi_50_guest security=security_guest_50 ssid=Dom
add channel=channel_24 country=Poland datapath=datapath_main disabled=no \
    mode=ap name=wifi_24 security=secuirty_main_24 ssid=Jakub
add channel=channel_24 country=Poland datapath=datapath_guest disabled=no \
    mode=ap name=wifi_24_guest security=secuirty_guest_24 ssid=Dom
/interface wifi steering
add disabled=yes name=steering1 neighbor-group=\
    dynamic-Jakub-109f34cf,dynamic-Dom-4be23367 rrm=yes
/ip pool
add comment=Main name=default-dhcp ranges=192.168.68.10-192.168.68.254
add comment=Guest name=pool_guest ranges=192.168.67.10-192.168.67.254
add comment="Smart Home" name=pool_iot ranges=192.168.69.1-192.168.69.254
/ip dhcp-server
add address-pool=default-dhcp comment=Main interface=bridge lease-time=1w \
    name=defconf
add address-pool=pool_guest comment=Guest interface=vlan433_guest lease-time=\
    1h name=dhcp_guest
add address-pool=pool_iot comment="Smart Home" interface=vlan322_iot \
    lease-time=1d name=dhcp_iot
/user group
add name=restart policy="reboot,read,winbox,!local,!telnet,!ssh,!ftp,!write,!p\
    olicy,!test,!password,!web,!sniff,!sensitive,!api,!romon,!rest-api"
/interface bridge port
add bridge=bridge interface=ether2 internal-path-cost=10 path-cost=10
add bridge=bridge interface=ether3 internal-path-cost=10 path-cost=10
add bridge=bridge interface=ether4 internal-path-cost=10 path-cost=10
add bridge=bridge interface=ether5 internal-path-cost=10 path-cost=10
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add interface=bridge list=LAN
add interface=ether1 list=WAN
add interface=vlan433_guest list=Guest
add interface=vlan322_iot list="Smart Home"
/interface wifi cap
set certificate=request discovery-interfaces=bridge enabled=yes
/interface wifi capsman
set ca-certificate=auto certificate=auto enabled=yes package-path="" \
    require-peer-certificate=no upgrade-policy=none
/interface wifi provisioning
add action=create-dynamic-enabled disabled=no master-configuration=wifi_50 \
    slave-configurations=wifi_50_guest supported-bands=5ghz-ax
add action=create-dynamic-enabled disabled=no master-configuration=wifi_24 \
    slave-configurations=wifi_24_guest supported-bands=2ghz-ax
/ip address
add address=192.168.68.1/24 comment=Main interface=bridge network=\
    192.168.68.0
add address=192.168.67.1/24 comment=Guest interface=vlan433_guest network=\
    192.168.67.0
add address=192.168.69.1/24 comment="Smart Home" interface=vlan322_iot \
    network=192.168.69.0
/ip dhcp-client
add comment=defconf interface=ether1 use-peer-dns=no
/ip dhcp-server lease
???
/ip dhcp-server network
add address=192.168.67.0/24 comment=Guest dns-server=192.168.67.1 gateway=\
    192.168.67.1 netmask=24
add address=192.168.68.0/24 comment=Main dns-server=192.168.68.1 gateway=\
    192.168.68.1 netmask=24
add address=192.168.69.0/24 comment="Smart Home" dns-server=192.168.69.1 \
    gateway=192.168.69.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,1.0.0.1 verify-doh-cert=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall address-list
add address=192.168.68.49 comment=Solid-Aurora list=admin
add address=192.168.68.50 comment=Rapid-Monster list=admin
/ip firewall filter
add action=accept chain=input comment="accept established,related,untracked" \
    connection-state=established,related,untracked
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=accept chain=input comment="accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="Config Access" src-address-list=admin
add action=accept chain=input comment="Allow LAN DNS queries-UDP" dst-port=53 \
    in-interface-list=LAN protocol=udp
add action=accept chain=input comment="Allow LAN DNS queries - TCP" dst-port=\
    53 in-interface-list=LAN protocol=tcp
add action=drop chain=input comment="drop all else"
add action=drop chain=input comment="drop all not coming from LAN" disabled=\
    yes in-interface-list=!LAN
add action=accept chain=forward comment="accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=fasttrack \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="drop invalid" connection-state=invalid
add action=drop chain=forward comment="drop all from WAN not DSTNATed" \
    connection-nat-state=!dstnat connection-state=new disabled=yes \
    in-interface-list=WAN
add action=accept chain=forward comment="allow internet traffic" \
    in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="port forwarding" \
    connection-nat-state=dstnat
add action=accept chain=forward comment="allow Smart Home access" \
    dst-address=192.168.69.0/24 src-address=192.168.68.0/24
add action=drop chain=forward comment="drop all else"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=Europe/Warsaw
/system identity
set name=Master
/system note
set show-at-login=no
/system package update
set channel=testing
/system routerboard settings
set auto-upgrade=yes
/tool graphing interface
add
2

Well I am not sure you handled vlans correctly, and in fact, once you start using vlans I recommend you turn the bridge affiliated subnet INTO a vlan and then your errors with the other vlans will become clearer. My sense is that is the root of your problems not the firewall.
Suggest you read this to fix them up including modifying the bridge one to a proper vlan subnet. ( Hint you dont need a managment vlan, just consider the bridge vlan your trusted subnet )
http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1

As for as filter rules.
You forgot to get rid of the old default rule that was replaced by: three rules, aka specifying what was allowed to internet, allow port forwarding and drop else!!!
add action=drop chain=forward comment=“drop all from WAN not DSTNATed”
connection-nat-state=!dstnat connection-state=new disabled=yes
in-interface-list=WAN

Consider this a cleanup, but dont think it will fix your problems which are vlan based…

3

Hey @anav


To be more precise, I didn’t remove the rule below either, but they were both disabled anyway, so it didn’t affect my problem.

add action=drop chain=input comment=“drop all not coming from LAN” disabled=
yes in-interface-list=!LAN


I tried various methods, but unfortunately it turned out that it was the firewall’s fault. I added 2 rules and everything works. Please evaluate the entire configuration, especially the firewall.

RouterOS 7.14beta3
/interface bridge
add admin-mac=??? auto-mac=no comment=Main name=bridge \
    port-cost-mode=short vlan-filtering=yes
/interface vlan
add interface=bridge name=vlan322_iot vlan-id=322
add interface=bridge name=vlan433_guest vlan-id=433
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=Guest
add name="Smart Home"
/interface wifi channel
add band=2ghz-ax disabled=no frequency=2412,2437,2462 name=channel_24 width=\
    20/40mhz-Ce
add band=5ghz-ax disabled=no frequency=5180-5300 name=channel_50 \
    skip-dfs-channels=all width=20/40mhz-Ce
/interface wifi datapath
add bridge=bridge disabled=no name=datapath_main
add bridge=bridge bridge-horizon=67 client-isolation=yes disabled=no name=\
    datapath_guest vlan-id=433
/interface wifi security
add authentication-types=wpa2-psk disable-pmkid=no disabled=no encryption="" \
    ft=yes ft-over-ds=yes name="security_main 50" wps=disable
add authentication-types=wpa2-psk,wpa3-psk disable-pmkid=no disabled=no ft=\
    yes ft-over-ds=yes name=security_guest_50 wps=disable
add authentication-types=wpa2-psk disable-pmkid=no disabled=no ft=yes \
    ft-over-ds=yes name=secuirty_main_24 wps=disable
add authentication-types=wpa2-psk,wpa3-psk disable-pmkid=no disabled=no \
    encryption="" ft=yes ft-over-ds=yes name=secuirty_guest_24 wps=disable
/interface wifi configuration
add channel=channel_50 country=Poland datapath=datapath_main disabled=no \
    mode=ap name=wifi_50 security="security_main 50" ssid=Jakub
add channel=channel_50 country=Poland datapath=datapath_guest disabled=no \
    mode=ap name=wifi_50_guest security=security_guest_50 ssid=Dom
add channel=channel_24 country=Poland datapath=datapath_main disabled=no \
    mode=ap name=wifi_24 security=secuirty_main_24 ssid=Jakub
add channel=channel_24 country=Poland datapath=datapath_guest disabled=no \
    mode=ap name=wifi_24_guest security=secuirty_guest_24 ssid=Dom
/interface wifi steering
add disabled=yes name=steering1 neighbor-group=\
    dynamic-Jakub-109f34cf,dynamic-Dom-4be23367 rrm=yes
/ip pool
add comment=Main name=default-dhcp ranges=192.168.68.10-192.168.68.254
add comment=Guest name=pool_guest ranges=192.168.67.10-192.168.67.254
add comment="Smart Home" name=pool_iot ranges=192.168.69.1-192.168.69.254
/ip dhcp-server
add address-pool=default-dhcp comment=Main interface=bridge lease-time=1w \
    name=defconf
add address-pool=pool_guest comment=Guest interface=vlan433_guest lease-time=\
    1h name=dhcp_guest
add address-pool=pool_iot comment="Smart Home" interface=vlan322_iot \
    lease-time=1d name=dhcp_iot
/user group
add name=restart policy="reboot,read,winbox,!local,!telnet,!ssh,!ftp,!write,!p\
    olicy,!test,!password,!web,!sniff,!sensitive,!api,!romon,!rest-api"
/interface bridge port
add bridge=bridge interface=ether2 internal-path-cost=10 path-cost=10
add bridge=bridge interface=ether3 internal-path-cost=10 path-cost=10
add bridge=bridge interface=ether4 internal-path-cost=10 path-cost=10
add bridge=bridge interface=ether5 internal-path-cost=10 path-cost=10
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge tagged=bridge,ether2 vlan-ids=433
add bridge=bridge tagged=bridge,ether2 vlan-ids=322
/interface list member
add interface=bridge list=LAN
add interface=ether1 list=WAN
add interface=vlan433_guest list=Guest
add interface=vlan322_iot list="Smart Home"
/interface wifi cap
set certificate=request discovery-interfaces=bridge enabled=yes
/interface wifi capsman
set ca-certificate=auto certificate=auto enabled=yes package-path="" \
    require-peer-certificate=no upgrade-policy=none
/interface wifi provisioning
add action=create-dynamic-enabled disabled=no master-configuration=wifi_50 \
    name-format="5G-%I - " slave-configurations=wifi_50_guest \
    supported-bands=5ghz-ax
add action=create-dynamic-enabled disabled=no master-configuration=wifi_24 \
    name-format=2G-%I- slave-configurations=wifi_24_guest supported-bands=\
    2ghz-ax
/ip address
add address=192.168.68.1/24 comment=Main interface=bridge network=\
    192.168.68.0
add address=192.168.67.1/24 comment=Guest interface=vlan433_guest network=\
    192.168.67.0
add address=192.168.69.1/24 comment="Smart Home" interface=vlan322_iot \
    network=192.168.69.0
/ip dhcp-client
add comment=defconf interface=ether1 use-peer-dns=no
/ip dhcp-server lease
???
/ip dhcp-server network
add address=192.168.67.0/24 comment=Guest dns-server=192.168.67.1 gateway=\
    192.168.67.1 netmask=24
add address=192.168.68.0/24 comment=Main dns-server=192.168.68.1 gateway=\
    192.168.68.1 netmask=24
add address=192.168.69.0/24 comment="Smart Home" dns-server=192.168.69.1 \
    gateway=192.168.69.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,1.0.0.1 verify-doh-cert=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall address-list
add address=192.168.68.49 comment=Solid-Aurora list=admin
add address=192.168.68.50 comment=Rapid-Monster list=admin
/ip firewall filter
add action=accept chain=input comment="accept established,related,untracked" \
    connection-state=established,related,untracked
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=accept chain=input comment="accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="Config Access" src-address-list=admin
add action=accept chain=input comment="Allow LAN DNS queries-UDP" dst-port=53 \
    in-interface-list=LAN protocol=udp
add action=accept chain=input comment="Allow LAN DNS queries - TCP" dst-port=\
    53 in-interface-list=LAN protocol=tcp
add action=drop chain=input comment="drop all else"
add action=accept chain=forward comment="accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=fasttrack \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="drop invalid" connection-state=invalid
add action=accept chain=forward comment="allow LAN internet traffic" \
    in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="allow Guest internet traffic" \
    in-interface-list=Guest out-interface-list=WAN
add action=accept chain=forward comment="allow IoT internet traffic" \
    in-interface-list="Smart Home" out-interface-list=WAN
add action=accept chain=forward comment="port forwarding" \
    connection-nat-state=dstnat
add action=accept chain=forward comment="allow Smart Home access" \
    dst-address=192.168.69.0/24 src-address=192.168.68.0/24
add action=drop chain=forward comment="drop all else"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=Europe/Warsaw
/system identity
set name=Master
/system note
set show-at-login=no
/system package update
set channel=testing
/system routerboard settings
set auto-upgrade=yes
/tool graphing interface
add
4

Well the only changes I see are in the forward chain are two rules. Difference in Green!

FROM
add action=accept chain=forward comment=“allow internet traffic”
in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment=“allow Smart Home access”
dst-address=192.168.69.0/24 src-address=192.168.68.0/24
add action=drop chain=forward comment=“drop all else”

TO:
/ip firewall filter
add action=accept chain=forward comment=“allow LAN internet traffic”
in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment=“allow Guest internet traffic”
in-interface-list=Guest out-interface-list=WAN
add action=accept chain=forward comment=“allow IoT internet traffic”
in-interface-list=“Smart Home” out-interface-list=WAN
add action=accept chain=forward comment=“allow Smart Home access”
dst-address=192.168.69.0/24 src-address=192.168.68.0/24

Lets dissect that.
The Guest VLAN vlan433_guest is NOT a member of the LAN so thats why you needed to add a rule…
The IOT VLAN vlan332_iot guest is NOT a member of the LAN so thats why you needed to add rule.

Basically inefficient use of Interface lists which are designed to handle subnets that need the same rules applied.
A single subnet not so much (use src or dst address of subnet, interface name etc…
Also those interface lists are not used anywhere else that I can see… BUT we do use the LAN list on in the input chain and thus important that its accurate.
SO DO make the below changes!!!

Easily fixed FROM:
/interface list member

add interface=ether1 list=WAN
add interface=vlan433_guest list=Guest
add interface=vlan322_iot list=“Smart Home”

TO:
/interface list member
add interface=ether1 list=WAN
add interface=bridge list=LAN
add interface=vlan433_guest list=LAN
add interface=vlan322_iot list=LAN

Then you only need a the single forward chain rule:…
add action=accept chain=forward comment=“allow LAN internet traffic”
in-interface-list=LAN out-interface-list=WAN

and can get rid of these two extra rules:
add action=accept chain=forward comment=“allow Guest internet traffic”
in-interface-list=Guest out-interface-list=WAN
add action=accept chain=forward comment=“allow IoT internet traffic”
in-interface-list=“Smart Home” out-interface-list=WAN

5

Thank you, it really works! :slight_smile:

BTW. Do you have any other tips for improving security on your Mikrotik router?