Config Review and Improvements

VoARi3A3tVYHRj4AWSiz · January 10, 2026, 7:35pm

I have read through the getting started documentation, and have watched the official mikrotik vlan videos, I am just not sure if what I have done is as efficient as it could be, or secure. Any suggestions or guidance would be greatly appreciated.

Thank you.

# 2026-01-10 14:07:43 by RouterOS 7.20.6
# software id = NIGV-JLUH
#
# model = RB5009UPr+S+
# serial number = XXXXXXXXXXX
/interface bridge
add admin-mac=XX:XX:XX:XX:XX:XX auto-mac=no comment=defconf name=\
    switch_bridge
/interface vlan
add interface=switch_bridge name=default vlan-id=1
add interface=switch_bridge name=home63 vlan-id=63
add interface=switch_bridge name=management223 vlan-id=223
add interface=switch_bridge name=nowan191 vlan-id=191
add interface=switch_bridge name=servers127 vlan-id=127
/interface list
add comment=defconf name=WAN
add comment=vlan name=PVID_home63
add comment=vlan name=PVID_servers127
add comment=vlan name=PVID_nowan191
add comment=vlan name=PVID_management223
add comment=defconf include=PVID_home63,PVID_servers127 name=LAN
/interface wifi channel
add band=5ghz-ax frequency=5180 name=5GHZ::CH36 width=20mhz
add band=5ghz-ax frequency=5200 name=5GHZ::CH40 width=20mhz
add band=5ghz-ax frequency=5220 name=5GHZ::CH44 width=20mhz
add band=5ghz-ax frequency=5240 name=5GHZ::CH48 width=20mhz
add band=5ghz-ax frequency=5745 name=5GHZ::CH149 width=20mhz
add band=5ghz-ax frequency=5765 name=5GHZ::CH153 width=20mhz
add band=5ghz-ax frequency=5785 name=5GHZ::CH157 width=20mhz
add band=5ghz-ax frequency=5805 name=5GHZ::CH161 width=20mhz
add band=5ghz-ax frequency=5825 name=5GHZ::CH165 width=20mhz
add band=2ghz-ax frequency=2412 name=2GHZ::CH1 width=20mhz
add band=2ghz-ax frequency=2437 name=2GHZ::CH6 width=20mhz
add band=2ghz-ax frequency=2462 name=2GHZ::CH11 width=20mhz
add band=5ghz-ax disabled=no frequency=5180,5200,5220,5240 name=5GHZ::UNII-1 \
    width=20mhz
add band=5ghz-ax disabled=no frequency=5745,5765,5785,5805,5825 name=\
    5GHZ::UNII-3 width=20mhz
add band=5ghz-ax disabled=no frequency=\
    5180,5200,5220,5240,5745,5765,5785,5805,5825 name=5GHZ::NON-DFS width=\
    20mhz
add band=2ghz-ax disabled=no frequency=2412,2437,2462 name=2GHZ::AUTO width=\
    20mhz
/interface wifi datapath
add bridge=switch_bridge disabled=no name=datapath1
add disabled=no interface-list=PVID_home63 name=datapath63 vlan-id=63
/interface wifi security
add authentication-types=wpa2-psk,wpa3-psk disabled=no encryption=ccmp name=\
    sec1
/interface wifi configuration
add channel=2GHZ::AUTO channel.band=2ghz-ax .width=20mhz country=\
    "United States" datapath=datapath63 disabled=no mode=ap name=cfg_2_4 \
    security=sec1 ssid=WIFIname
add channel=5GHZ::NON-DFS channel.band=5ghz-ax .width=20/40/80mhz country=\
    "United States" datapath=datapath63 disabled=no mode=ap name=cfg_5 \
    security=sec1 ssid=WIFIname
/interface wifi
# operated by CAP AA:AA:AA:AA:AA:AA%switch_bridge, traffic processing on CAP
add channel=2GHZ::AUTO configuration=cfg_2_4 configuration.mode=ap disabled=\
    no name=Hall_2_4 radio-mac=AA:AA:AA:AA:AA:A1
# operated by CAP AA:AA:AA:AA:AA:AA%switch_bridge, traffic processing on CAP
add channel.frequency=5180,5200,5220,5240,5745,5765,5785,5805,5825 \
    configuration=cfg_5 configuration.mode=ap disabled=no name=Hall_5 \
    radio-mac=AA:AA:AA:AA:AA:A0
# operated by CAP BB:BB:BB:BB:BB:BB%switch_bridge, traffic processing on CAP
add channel.frequency=5180,5200,5220,5240,5745,5765,5785,5805,5825 \
    configuration=cfg_5 configuration.mode=ap disabled=no name=LaundryRoom_5 \
    radio-mac=BB:BB:BB:BB:BB:B0
# operated by CAP BB:BB:BB:BB:BB:BB%switch_bridge, traffic processing on CAP
add channel.frequency=2412,2437,2462 configuration=cfg_2_4 \
    configuration.mode=ap disabled=no name=Laundry_2_4 radio-mac=\
    BB:BB:BB:BB:BB:B1
# operated by CAP CC:CC:CC:CC:CC:CC%switch_bridge, traffic processing on CAP
add channel.frequency=2412,2437,2462 configuration=cfg_2_4 \
    configuration.mode=ap disabled=no name=Shed_2_4 radio-mac=\
    CC:CC:CC:CC:CC:C1
# operated by CAP CC:CC:CC:CC:CC:CC%switch_bridge, traffic processing on CAP
add channel.frequency=5180,5200,5220,5240,5745,5765,5785,5805,5825 \
    configuration=cfg_5 configuration.mode=ap disabled=no name=Shed_5 \
    radio-mac=CC:CC:CC:CC:CC:C2
/ip pool
add name=default-dhcp ranges=10.122.0.2-10.122.0.250
add name=home-dhcp ranges=10.122.63.2-10.122.63.250
add name=servers-dhcp ranges=10.122.127.2-10.122.127.250
add name=nowan-dhcp ranges=10.122.191.2-10.122.191.250
add name=management-dhcp ranges=10.122.223.2-10.122.223.250
/ip dhcp-server
add address-pool=default-dhcp interface=switch_bridge name=defconf
add address-pool=home-dhcp interface=home63 name=home
add address-pool=servers-dhcp interface=servers127 name=servers
add address-pool=nowan-dhcp interface=nowan191 name=nowan
add address-pool=management-dhcp interface=management223 name=management
/disk settings
set auto-media-interface=switch_bridge auto-media-sharing=yes \
    auto-smb-sharing=yes
/interface bridge port
add bridge=switch_bridge comment=defconf interface=ether2
add bridge=switch_bridge comment=defconf interface=ether3
add bridge=switch_bridge comment=defconf interface=ether4
add bridge=switch_bridge comment=defconf interface=ether5
add bridge=switch_bridge comment=defconf interface=ether6
add bridge=switch_bridge comment=defconf interface=ether7
add bridge=switch_bridge comment=defconf interface=sfp-sfpplus1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=switch_bridge vlan-ids=1
add bridge=switch_bridge vlan-ids=63
add bridge=switch_bridge vlan-ids=127
add bridge=switch_bridge vlan-ids=191
add bridge=switch_bridge vlan-ids=223
/interface detect-internet
set detect-interface-list=WAN internet-interface-list=all lan-interface-list=\
    LAN wan-interface-list=WAN
/interface list member
add comment=defconf interface=switch_bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=home63 list=PVID_home63
add interface=servers127 list=PVID_servers127
add interface=nowan191 list=PVID_nowan191
add interface=management223 list=PVID_management223
/interface wifi capsman
set enabled=yes interfaces=switch_bridge package-path="" \
    require-peer-certificate=no upgrade-policy=none
/ip address
add address=10.122.0.1/24 comment=defconf interface=switch_bridge network=\
    10.122.0.0
add address=10.122.63.1/24 comment=home interface=home63 network=10.122.63.0
add address=10.122.127.1/24 comment=servers interface=servers127 network=\
    10.122.127.0
add address=10.122.191.1/24 comment=nowan interface=nowan191 network=\
    10.122.191.0
add address=10.122.223.1/24 comment=management interface=management223 \
    network=10.122.223.0
/ip cloud
set update-time=no
/ip dhcp-client
add comment=defconf_client default-route-tables=main interface=ether1
/ip dhcp-server network
add address=10.122.0.0/24 comment=defconf dns-server=10.122.0.1 gateway=\
    10.122.0.1 netmask=24
add address=10.122.63.0/24 comment=home dns-server=10.122.63.1 gateway=\
    10.122.63.1 netmask=24
add address=10.122.127.0/24 comment=servers dns-server=10.122.127.1 gateway=\
    10.122.127.1 netmask=24
add address=10.122.191.0/24 comment=nowan dns-server=10.122.191.1 gateway=\
    10.122.191.1 netmask=24
add address=10.122.223.0/24 comment=management dns-server=10.122.223.1 \
    gateway=10.122.223.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=\
    1.1.1.1,1.0.0.1,8.8.8.8,8.8.4.4,9.9.9.9,9.9.9.10
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip service
set ftp disabled=yes
set telnet disabled=yes
set www disabled=yes
set ssh address=10.122.223.0/24 port=1220
set winbox address=10.122.0.0/24,10.122.223.0/24
set api disabled=yes
set api-ssl disabled=yes
/ip ssh
set host-key-type=ed25519 strong-crypto=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" \
    dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack6" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=America/New_York
/system identity
set name=RB5009UPr+S+OUT
/system ntp client
set enabled=yes
/system ntp server
set broadcast=yes broadcast-addresses=\
    10.122.0.255,10.122.63.255,10.122.127.255,10.122.191.255,10.122.223.255 \
    enabled=yes
/system ntp client servers
add address=us.pool.ntp.org
add address=time.nist.gov
add address=time.cloudflare.com
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Buckeye · January 10, 2026, 9:16pm

Since you don't state what the config is supposed to do, noone can make any comments as to whether it even does what you need it to do.

How did you generate the config?

Don't take this the wrong way, but your post is similar to

"I read an intro to cooking guide, and watched some cooking shows. Can you tell me if this is a good recipe?"

BartoszP · January 11, 2026, 5:58pm

Does it work? Not? Is it efficient or not? Do you have problems with that configuration? What bothers you most? Any tips?

dang21000 · January 11, 2026, 6:20pm

Never used vlan id 1 when using vlans.
You can read this topic : Tutorial: Home VLAN configuration (RB5009, cAP ACs, multiple SSIDs)
And don't forget use the official documentation.

But you can do anything.... without scheme and guideline, it's hard to know. Write if before...

jaclaz · January 11, 2026, 6:30pm

And don't forget:

BartoszP · January 11, 2026, 6:54pm

Where have you found that information that vlan-id should be set to 1?