CRS309 behind CCR2004 setup questions

Hii there,

I currently have the network setup shown in the “current situation” attachment.
However, the CCR2004(-1G-12S+2XS) struggles really hard when transferring data between say, VLAN1001 (eg. my desktop) and VLAN1003 (eg. my NAS), reaching just 5Gbps at max (this is a router bottleneck, the NAS and PC itself are more than capable of it).
As such, I wanted to throw a CRS309 between the CCR2004, CRS317 and CRS326 (see “proposed situation” attachment).
This would also allow me to more easily update the CCR2004 (as it’s the main gatekeeper between my LAN and the wild west of the internet) without affecting the LAN as much.

• The CCR2004 will only handle things related to my ISP (connecting to the ISP, handling traffic from and to ISP, firewall etc.)
• The CRS309 will handle things related to my LAN (DHCP server, Inter-VLAN connections etc.)

But this leaves some questions:

• Would this allow me to reach wirespeed between VLANs even with some firewall rules?
  • Currently, established and related get fasttracked on the CCR2004, there are no other fancy things just “accept+fasttrack/drop”.
  • I have read about Fasttrack HW Offloading which is what I intend to use, so that should be fine right?
• How would portforwarding work?
  • CCR2004 will handle the stuff coming from the ISP (eg. someone trying to reach a website hosted here).
  • I think I could just have the CCR2004 do DST-NAT as usual (action=dst-nat to-addresses=192.168.3.X to-ports=25565), it will then send the packet to the CRS309 and the CRS309 will figure out from here?
• Where would I setup queues (only affects uplink to ISP, internally everything can just go as fast as possible)? CCR2004 or CRS309?
  • I assume on the CRS309 as CCR2004 only sees 1 IP address (the CRS309) or am I wrong?
• Would I need to add some extra static routes of sorts?
  • I assume if I set the default gateway for each of the VLANs to the CRS309 and a static route 0.0.0.0/0 to be reachable via 192.168.0.1/24 (the CCR2004), it’ll work?
  • Probably need to add static routes in the CCR2004 to forward things to the CRS309?
  • Would I need some other extra config (eg. a masquerade rule or something)?
    I hope this explanation and the questions made enough sense.

Thanks in advance!

Consider posting CCR2004 config after removing sensitive information (serial number, IP addresses, user credentials, etc).

/export terse file=ccr2004-FinlayDaG33k.rsc

CRS309 can do the job at Layer 2 alone, Layer 3 routing not required but that won’t have the LAN independence from CCR2004 downtime you want.
CRS309 supports Layer 3 Hardware Offloading which will provide the LAN independence from CCR2004 downtime you want.
I used to route on CRS309 but moved that job over to an RB5009. Do you run any LAN to LAN firewall rules on CCR2004?

Avoid firewall rules on CRS309 if possible; it can hardware offload some firewall rules but not in large numbers.
If needed a few LAN to LAN rules should be OK and leave WAN rules on CCR2004.
Disclose Spanning Tree Protocol requirements.

Yes, I do.
They are basically just:

• If allowed: Return → Accept → Fasttrack.
• If not allowed: Drop on the spot.
  
  
  

/ip firewall filter 
  add action=fasttrack-connection chain=forward comment="Fasttrack LAN" connection-state=established,related hw-offload=yes in-interface-list=LAN out-interface-list=LAN
  add action=jump chain=forward comment="Chain for LAN Access Control" connection-state=new dst-address-list=lan-addresses jump-target=lan-access src-address-list=lan-addresses
  add action=accept chain=forward comment="Accept return from lan-access" connection-state=new
  add action=accept chain=forward comment="Accept established and related" connection-state=established,related
  add action=return chain=lan-access comment="Allow Private VLAN" in-interface=vlan1000
  add action=return chain=lan-access comment="Allow Virtual VLAN" in-interface=vlan1003
  add action=return chain=lan-access comment="Allow Wireguard" in-interface=wireguard1
  add action=return chain=lan-access comment="Allow DNS" dst-address=192.168.0.7 dst-port=53 protocol=tcp
  add action=return chain=lan-access comment="Allow DNS" dst-address=192.168.0.7 dst-port=53 protocol=udp
  add action=return chain=lan-access comment="Allow DNS" dst-address=192.168.0.7 dst-port=853 protocol=tcp
  add action=return chain=lan-access comment="Allow DNS" dst-address=192.168.0.7 dst-port=853 protocol=udp
  add action=return chain=lan-access comment="Allow Plex" dst-address=192.168.3.109 dst-port=32400 protocol=tcp
  add action=return chain=lan-access comment="Allow Printer Access" dst-address=192.168.5.2
  add action=return chain=lan-access comment="Allow Tablet to OBS" dst-address=192.168.1.2 dst-port=4455 protocol=tcp src-address=192.168.5.233
  add action=drop chain=lan-access comment="Isolate Parents (to self)" in-interface=vlan1002 out-interface=!vlan1002
  add action=drop chain=lan-access comment="Isolate IOT" in-interface=vlan1005
  add action=drop chain=lan-access comment="Isolate Guests" in-interface=vlan1255

I don’t know if you mean this but:

• CRS317 will connect to the CRS326 as well (I seem to have forgotten that little line).
• There will be 2 clients connected to both the CRS317 and CRS326.
• There will be an RB5009 connected to the CRS317, CRS326, CCR2004 and likely CRS309 (used for stuff like RoMON, AdGuard Home, MKTXP etc. etc.).

RouterOS documentation Spanning Tree Protocol has multiple flavors.

I really mean export the entire CCR2004 configuration (redact only security sensitive items).
Failing to fully disclose creates protracted dialogues leading to annoyance and destroying motivation to help.
Your choice do you make it easy for forum users or shall we just ignore you?
Export CRS317 and CRS326 configurations as well please.
Quote configurations as code blocks is typical.
File attachments only add extra steps.
Quote and attach both is optional.

Here is the CCR2004 (I did manually remove some entries (IPv6, DHCP static leases and Wireguard peers):

# 2025-02-07 17:39:04 by RouterOS 7.16.1
# software id = REDACTED
#
# model = CCR2004-1G-12S+2XS
# serial number = REDACTED
/interface bridge
add ingress-filtering=no name=bridge1 port-cost-mode=short priority=0x7000 vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment=Management name=mgmt
set [ find default-name=sfp-sfpplus1 ] comment="To Modem" l2mtu=1600 loop-protect=off
set [ find default-name=sfp-sfpplus2 ] comment="To CRS317-1G-16S+RM"
set [ find default-name=sfp-sfpplus3 ] comment="To CRS326-24G-2S+"
set [ find default-name=sfp-sfpplus4 ] comment=RB5009UG+S+
set [ find default-name=sfp-sfpplus5 ] disabled=yes
set [ find default-name=sfp-sfpplus6 ] disabled=yes
set [ find default-name=sfp-sfpplus7 ] disabled=yes
set [ find default-name=sfp-sfpplus8 ] disabled=yes
set [ find default-name=sfp-sfpplus9 ] disabled=yes
set [ find default-name=sfp-sfpplus10 ] disabled=yes
set [ find default-name=sfp-sfpplus11 ] disabled=yes
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface vlan
add comment="Delta Internet" interface=sfp-sfpplus1 loop-protect=off name=delta-vlan100 vlan-id=100
add comment="Delta IPTV" interface=sfp-sfpplus1 name=delta-vlan101 vlan-id=101
add comment="Delta VoIP" interface=sfp-sfpplus1 name=delta-vlan102 vlan-id=102
add comment="Private VLAN" interface=bridge1 name=vlan10 vlan-id=10
add comment="Virtual Devices" interface=bridge1 name=vlan30 vlan-id=30
add comment="Main Infra (New)" interface=bridge1 name=vlan1000 vlan-id=1000
add comment="Private VLAN (New)" interface=bridge1 name=vlan1001 vlan-id=1001
add comment=Parents interface=bridge1 name=vlan1002 vlan-id=1002
add comment=IOT interface=bridge1 name=vlan1005 vlan-id=1005
add comment=Guests interface=bridge1 name=vlan1255 vlan-id=1255
/interface list
add name=WAN
add name=LAN
add comment="Neighbours for MNDP Attack mitigation" name=Neighbour
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/ip dhcp-client option
add code=60 name=iptv_rg value="'IPTV_RG'"
/ip pool
add name=vlan10 ranges=192.168.1.10-192.168.1.254
add name=vlan1255 ranges=192.168.255.10-192.168.255.254
add name=vlan1002 ranges=192.168.2.10-192.168.2.254
add name=vlan30 ranges=192.168.3.10-192.168.3.254
add name=vlan1005 ranges=192.168.5.10-192.168.5.243
add name=vlan1000 ranges=192.168.0.2-192.168.0.254
/ip dhcp-server
add add-arp=yes address-pool=vlan10 interface=vlan10 lease-time=10m name=vlan10
add add-arp=yes address-pool=vlan1255 interface=vlan1255 lease-time=10m name=vlan1255
add add-arp=yes address-pool=vlan1002 interface=vlan1002 lease-time=10m name=vlan1002
add add-arp=yes address-pool=vlan30 interface=vlan30 lease-time=10m name=vlan30
add add-arp=yes address-pool=vlan1005 interface=vlan1005 lease-time=10m name=vlan1005
add add-arp=yes address-pool=vlan10 interface=vlan1001 lease-time=10m name=vlan1001
add add-arp=yes address-pool=vlan1000 interface=vlan1000 lease-time=10m name=vlan1000
/ip smb users
set [ find default=yes ] disabled=yes
/ipv6 pool
add name=ULA prefix=fc00::/7 prefix-length=64
/port
set 0 name=serial0
set 1 name=serial1
/queue type
set 0 pfifo-limit=250
add cake-nat=yes cake-rtt-scheme=internet kind=cake name=cake-upload
add kind=fq-codel name=fq_codel
add cake-nat=yes cake-rtt-scheme=internet kind=cake name=cake-download
set 11 mq-pfifo-limit=5
/queue simple
add bucket-size=0/0 dst=delta-vlan100 limit-at=980M/980M max-limit=980M/980M name=ISP priority=1/1 queue=fq_codel/fq_codel target="" total-queue=default
add bucket-size=0/0 dst=delta-vlan100 limit-at=890M/890M max-limit=980M/980M name="Private Wired" parent=ISP priority=1/1 queue=fq_codel/fq_codel target=vlan10 total-queue=default
add bucket-size=0/0 dst=delta-vlan100 limit-at=50M/50M max-limit=900M/900M name=Servers parent=ISP priority=2/2 queue=fq_codel/fq_codel target=vlan30 total-queue=default
add bucket-size=0/0 dst=delta-vlan100 limit-at=25M/25M max-limit=900M/900M name=Parents parent=ISP queue=pcq-upload-default/pcq-download-default target=vlan1002 total-queue=default
add bucket-size=0/0 dst=delta-vlan100 limit-at=1M/10M max-limit=1M/50M name=IOT parent=ISP queue=pcq-upload-default/pcq-download-default target=vlan1005 total-queue=default
add limit-at=10M/10M max-limit=980M/980M name=Guest parent=ISP queue=pcq-upload-default/pcq-download-default target=vlan1255 total-queue=default
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
add disabled=no name=default-v3 version=3
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
add disabled=yes instance=default-v3 name=backbone-v3
/user group
add name=dudes policy=read,winbox,!local,!telnet,!ssh,!ftp,!reboot,!write,!policy,!test,!password,!web,!sniff,!sensitive,!api,!romon,!rest-api
add name=ninym policy=read,api,rest-api,!local,!telnet,!ssh,!ftp,!reboot,!write,!policy,!test,!winbox,!password,!web,!sniff,!sensitive,!romon
add name=mktxp policy=read,api,!local,!telnet,!ssh,!ftp,!reboot,!write,!policy,!test,!winbox,!password,!web,!sniff,!sensitive,!romon,!rest-api
add name=disallow
/interface bridge port
add bridge=bridge1 ingress-filtering=no interface=sfp-sfpplus2 internal-path-cost=10 multicast-router=disabled path-cost=10
add bridge=bridge1 ingress-filtering=no interface=sfp-sfpplus3 internal-path-cost=10 multicast-router=disabled path-cost=10
add bridge=bridge1 disabled=yes ingress-filtering=no interface=sfp-sfpplus5 internal-path-cost=10 path-cost=10
add bridge=bridge1 disabled=yes ingress-filtering=no interface=sfp-sfpplus6 internal-path-cost=10 path-cost=10
add bridge=bridge1 disabled=yes ingress-filtering=no interface=sfp-sfpplus7 internal-path-cost=10 path-cost=10
add bridge=bridge1 disabled=yes ingress-filtering=no interface=sfp-sfpplus8 internal-path-cost=10 path-cost=10
add bridge=bridge1 disabled=yes ingress-filtering=no interface=sfp-sfpplus9 internal-path-cost=10 path-cost=10
add bridge=bridge1 disabled=yes ingress-filtering=no interface=sfp-sfpplus10 internal-path-cost=10 path-cost=10
add bridge=bridge1 disabled=yes ingress-filtering=no interface=sfp28-1 internal-path-cost=10 path-cost=10
add bridge=bridge1 disabled=yes ingress-filtering=no interface=sfp28-2 internal-path-cost=10 path-cost=10
add bridge=bridge1 disabled=yes interface=sfp-sfpplus11 internal-path-cost=10 path-cost=10
add bridge=bridge1 ingress-filtering=no interface=sfp-sfpplus12 internal-path-cost=10 path-cost=10
add bridge=bridge1 interface=sfp-sfpplus4
/interface bridge settings
set use-ip-firewall-for-vlan=yes
/ip firewall connection tracking
set udp-timeout=3m
/ip neighbor discovery-settings
set discover-interface-list=Neighbour lldp-max-frame-size=yes lldp-vlan-info=yes
/ip settings
set max-neighbor-entries=8192 tcp-syncookies=yes
/ipv6 settings
set accept-redirects=no accept-router-advertisements=no disable-ipv6=yes max-neighbor-entries=8192
/interface bridge vlan
add bridge=bridge1 tagged=bridge1,sfp-sfpplus2,sfp-sfpplus3 vlan-ids=10
add bridge=bridge1 tagged=bridge1,sfp-sfpplus2,sfp-sfpplus3 vlan-ids=30
add bridge=bridge1 tagged=bridge1,sfp-sfpplus2,sfp-sfpplus3 vlan-ids=1002
add bridge=bridge1 tagged=bridge1,sfp-sfpplus2,sfp-sfpplus3 vlan-ids=1005
add bridge=bridge1 tagged=bridge1,sfp-sfpplus2,sfp-sfpplus3 vlan-ids=99
add bridge=bridge1 tagged=bridge1,sfp-sfpplus2,sfp-sfpplus3 vlan-ids=1255
add bridge=bridge1 tagged=bridge1,sfp-sfpplus2,sfp-sfpplus3 vlan-ids=1001
add bridge=bridge1 tagged=sfp-sfpplus2,sfp-sfpplus3,bridge1,sfp-sfpplus4 vlan-ids=1000
/interface detect-internet
set internet-interface-list=WAN lan-interface-list=LAN wan-interface-list=WAN
/interface list member
add interface=vlan10 list=LAN
add interface=vlan30 list=LAN
add interface=vlan1002 list=LAN
add interface=delta-vlan100 list=WAN
add interface=vlan1005 list=LAN
add interface=delta-vlan102 list=WAN
add interface=delta-vlan101 list=WAN
add interface=vlan1001 list=LAN
add interface=vlan1000 list=Neighbour
/interface ovpn-server server
set auth=sha1,md5
/ip address
add address=192.168.2.1/24 interface=vlan1002 network=192.168.2.0
add address=192.168.1.1/24 interface=vlan10 network=192.168.1.0
add address=192.168.255.1/24 interface=vlan1255 network=192.168.255.0
add address=192.168.3.1/24 interface=vlan30 network=192.168.3.0
add address=192.168.5.1/24 interface=vlan1005 network=192.168.5.0
add address=192.168.254.1/24 interface=wireguard1 network=192.168.254.0
add address=192.168.1.1/24 disabled=yes interface=vlan1001 network=192.168.1.0
add address=192.168.0.1/24 interface=vlan1000 network=192.168.0.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=15m
/ip dhcp-client
add add-default-route=no comment="Delta VoIP" dhcp-options=clientid,clientid_duid interface=delta-vlan102 use-peer-dns=no use-peer-ntp=no
add comment="Delta Internet" interface=delta-vlan100 use-peer-dns=no use-peer-ntp=no
add add-default-route=no comment="Delta IPTV" dhcp-options=iptv_rg,hostname,clientid interface=delta-vlan101 use-peer-dns=no use-peer-ntp=no
/ip dhcp-server alert
add alert-timeout=1d disabled=no interface=vlan30 on-alert=":log error message=\"Unauthorized DHCP Server Discovered\"" valid-server=2C:C8:1B:39:8D:BD
add alert-timeout=1d disabled=no interface=vlan1005 on-alert=":log error message=\"Unauthorized DHCP Server Discovered\"" valid-server=2C:C8:1B:39:8D:BD
add alert-timeout=1d disabled=no interface=vlan1002 on-alert=":log error message=\"Unauthorized DHCP Server Discovered\"" valid-server=2C:C8:1B:39:8D:BD
add alert-timeout=1d disabled=no interface=*40 on-alert=":log error message=\"Unauthorized DHCP Server Discovered\"" valid-server=2C:C8:1B:39:8D:BD
add alert-timeout=1d disabled=no interface=vlan1255 on-alert=":log error message=\"Unauthorized DHCP Server Discovered\"" valid-server=2C:C8:1B:39:8D:BD
add alert-timeout=1d disabled=no interface=vlan10 on-alert=":log error message=\"Unauthorized DHCP Server Discovered\"" valid-server=2C:C8:1B:39:8D:BD
add alert-timeout=1d disabled=no interface=vlan1001 on-alert=":log error message=\"Unauthorized DHCP Server Discovered\"" valid-server=2C:C8:1B:39:8D:BD
/ip dhcp-server config
set store-leases-disk=never
/ip dhcp-server network
add address=192.168.0.0/24 caps-manager=192.168.0.7 dns-server=192.168.0.7 gateway=192.168.0.1 netmask=24 ntp-server=192.168.0.7
add address=192.168.1.0/24 dns-server=192.168.0.7 gateway=192.168.1.1 netmask=24 ntp-server=192.168.0.7
add address=192.168.2.0/24 dns-server=192.168.0.7 gateway=192.168.2.1 netmask=24 ntp-server=192.168.0.7
add address=192.168.3.0/24 dns-server=192.168.0.7 gateway=192.168.3.1 netmask=24 ntp-server=192.168.0.7
add address=192.168.5.0/24 dns-server=192.168.0.7 gateway=192.168.5.1 netmask=24 ntp-server=192.168.0.7
add address=192.168.255.0/24 dns-server=192.168.0.7 gateway=192.168.255.1 netmask=24 ntp-server=192.168.0.7
/ip dns
set allow-remote-requests=yes cache-size=262144KiB servers=192.168.0.7
/ip firewall address-list
add address=81.172.152.214 list=my-wan-addresses
add address=192.168.0.0/24 list=lan-addresses
add address=192.168.1.0/24 list=lan-addresses
add address=192.168.2.0/24 list=lan-addresses
add address=192.168.3.0/24 list=lan-addresses
add address=192.168.5.0/24 list=lan-addresses
add address=192.168.255.0/24 list=lan-addresses
add address=192.168.254.0/24 list=lan-addresses
add address=127.0.0.0/8 comment="defconf: RFC6890" list=bad-ipv4
add address=192.0.0.0/24 comment="defconf: RFC6890" list=bad-ipv4
add address=192.0.2.0/24 comment="defconf: RFC6890 documentation" list=bad-ipv4
add address=198.51.100.0/24 comment="defconf: RFC6890 documentation" list=bad-ipv4
add address=203.0.113.0/24 comment="defconf: RFC6890 documentation" list=bad-ipv4
add address=240.0.0.0/4 comment="defconf: RFC6890 reserved" list=bad-ipv4
add address=0.0.0.0/8 comment="defconf: RFC6890" list=not-global-ipv4
add address=10.0.0.0/8 comment="defconf: RFC6890" list=not-global-ipv4
add address=100.64.0.0/10 comment="defconf: RFC6890" list=not-global-ipv4
add address=169.254.0.0/16 comment="defconf: RFC6890" list=not-global-ipv4
add address=172.16.0.0/12 comment="defconf: RFC6890" list=not-global-ipv4
add address=192.0.0.0/29 comment="defconf: RFC6890" list=not-global-ipv4
add address=192.168.0.0/16 comment="defconf: RFC6890" list=not-global-ipv4
add address=198.18.0.0/15 comment="defconf: RFC6890 benchmark" list=not-global-ipv4
add address=255.255.255.255 comment="defconf: RFC6890" list=not-global-ipv4
add address=224.0.0.0/4 comment="defconf: multicast" list=bad-src-ipv4
add address=255.255.255.255 comment="defconf: RFC6890" list=bad-src-ipv4
add address=0.0.0.0/8 comment="defconf: RFC6890" list=bad-dst-ipv4
add address=224.0.0.0/4 comment="defconf: RFC6890" list=bad-dst-ipv4
/ip firewall filter
add action=fasttrack-connection chain=forward comment="Fasttrack LAN" connection-state=established,related hw-offload=yes in-interface-list=LAN out-interface-list=LAN
add action=fasttrack-connection chain=forward comment="Fasttrack IPTV" hw-offload=yes out-interface=delta-vlan101
add action=fasttrack-connection chain=forward comment="Fasttrack VoIP" hw-offload=yes out-interface=delta-vlan102
add action=fasttrack-connection chain=forward comment="Fasttrack DNS (DNS.Watch)" dst-address=84.200.70.40 hw-offload=yes src-address=192.168.0.7
add action=fasttrack-connection chain=forward comment="Fasttrack DNS (LibreDNS)" dst-address=116.202.176.26 hw-offload=yes src-address=192.168.0.7
add action=fasttrack-connection chain=forward comment="Fasttrack DNS (Google)" dst-address=8.8.8.8 hw-offload=yes src-address=192.168.0.7
add action=fasttrack-connection chain=forward comment="Fasttrack DNS (CloudFlare)" dst-address=1.1.1.1 hw-offload=yes src-address=192.168.0.7
add action=fasttrack-connection chain=forward comment="Fasttrack DNS (CloudFlare)" dst-address=1.0.0.1 hw-offload=yes src-address=192.168.0.7
add action=fasttrack-connection chain=forward comment="Fasttrack DNS (Quad9)" dst-address=9.9.9.11 hw-offload=yes src-address=192.168.0.7
add action=jump chain=forward comment="Chain for LAN Access Control" connection-state=new dst-address-list=lan-addresses jump-target=lan-access src-address-list=lan-addresses
add action=accept chain=forward comment="Accept established and related" connection-state=established,related
add action=jump chain=input comment="Fuck anyone trying to get into my router" in-interface-list=WAN jump-target=detect-remote-intrusion
add action=accept chain=input comment="Accept established,related,untracked" connection-state=established,related,untracked
add action=jump chain=detect-remote-intrusion comment="MikroTik Service: ssh" dst-port=22 jump-target=add-block-list protocol=tcp
add action=jump chain=detect-remote-intrusion comment="MikroTik Service: api-ssl" dst-port=8729 jump-target=add-block-list protocol=tcp
add action=jump chain=detect-remote-intrusion comment="MikroTik Service: api" dst-port=8728 jump-target=add-block-list protocol=tcp
add action=jump chain=detect-remote-intrusion comment="MikroTik Service: winbox" dst-port=8291 jump-target=add-block-list protocol=tcp
add action=jump chain=detect-remote-intrusion comment="BFD: WAN (control)" dst-port=3784 jump-target=add-block-list protocol=udp
add action=jump chain=detect-remote-intrusion comment="BFD: WAN (echo)" dst-port=3785 jump-target=add-block-list protocol=udp
add action=jump chain=detect-remote-intrusion comment="BFD: WAN (multihop control)" dst-port=4784 jump-target=add-block-list protocol=udp
add action=jump chain=detect-remote-intrusion comment="BFD: WAN (multihop control)" dst-port=4784 jump-target=add-block-list protocol=tcp
add action=add-src-to-address-list address-list=remote-intrusion address-list-timeout=4w2d chain=add-block-list comment="Block address for 30d"
add action=drop chain=add-block-list comment="Drop packet immediately"
add action=return chain=lan-access comment="Allow Private VLAN" in-interface=vlan10
add action=return chain=lan-access comment="Allow Private VLAN" in-interface=vlan1001
add action=return chain=lan-access comment="Allow Virtual VLAN" in-interface=vlan30
add action=return chain=lan-access comment="Allow Wireguard" in-interface=wireguard1
add action=return chain=lan-access comment="Allow DNS" dst-address=192.168.0.7 dst-port=53 protocol=tcp
add action=return chain=lan-access comment="Allow DNS" dst-address=192.168.0.7 dst-port=53 protocol=udp
add action=return chain=lan-access comment="Allow DNS" dst-address=192.168.0.7 dst-port=853 protocol=tcp
add action=return chain=lan-access comment="Allow DNS" dst-address=192.168.0.7 dst-port=853 protocol=udp
add action=return chain=lan-access comment="Allow Plex" dst-address=192.168.3.109 dst-port=32400 protocol=tcp
add action=return chain=lan-access comment="Allow Printer Access" dst-address=192.168.5.2
add action=return chain=lan-access comment="Allow Tablet to OBS" dst-address=192.168.1.2 dst-port=4455 protocol=tcp src-address=192.168.5.233
add action=drop chain=lan-access comment="Isolate Parents (to self)" in-interface=vlan1002 log-prefix="[FILTER]" out-interface=!vlan1002
add action=drop chain=lan-access comment="Isolate IOT" in-interface=vlan1005 log-prefix="[FILTER]"
add action=drop chain=lan-access comment="Isolate Guests" in-interface=vlan1255 log-prefix="[FILTER]"
/ip firewall mangle
add action=mark-connection chain=prerouting comment="Mark connections for hairpint NAT" dst-address-list=my-wan-addresses new-connection-mark="Hairpin NAT" passthrough=yes src-address-list=lan-addresses
/ip firewall nat
add action=accept chain=input comment="Allow connection to Wireguard server" dst-address-list=my-wan-addresses dst-port=13231 protocol=udp
add action=jump chain=srcnat comment="Create chain for LAN access" jump-target=lan-access
add action=masquerade chain=srcnat comment="Hairpin NAT" connection-mark="Hairpin NAT"
add action=masquerade chain=srcnat comment="Allow outgoing to internet" out-interface-list=WAN
add action=jump chain=dstnat comment="Create chain to force AGH usage (UDP)" disabled=yes dst-address-list=!my-wan-addresses dst-port=53 jump-target=dns-redirection log-prefix="[DNS REDIR]" protocol=udp
add action=jump chain=dstnat comment="Create chain to force AGH usage (TCP)" disabled=yes dst-address-list=!my-wan-addresses dst-port=53 jump-target=dns-redirection log-prefix="[DNS REDIR]" protocol=tcp
add action=jump chain=dstnat comment="Create chain for Portforwards" dst-address-list=my-wan-addresses jump-target=port-forwards log-prefix="[pf]"
add action=dst-nat chain=port-forwards comment="Traefik Ingress (HTTP)" dst-port=80 protocol=tcp to-addresses=192.168.3.122 to-ports=80
add action=dst-nat chain=port-forwards comment="Traefik Ingress (HTTPS)" dst-port=443 protocol=tcp to-addresses=192.168.3.122 to-ports=443
add action=dst-nat chain=port-forwards comment="Traefik Ingress (HTTPS/3)" dst-port=443 protocol=udp to-addresses=192.168.3.122 to-ports=443
add action=dst-nat chain=port-forwards comment="Modoboa (SMTP)" dst-port=25 protocol=tcp to-addresses=192.168.3.6 to-ports=25
add action=dst-nat chain=port-forwards comment="Modoboa (SMTPS)" dst-port=587 protocol=tcp to-addresses=192.168.3.6 to-ports=587
add action=dst-nat chain=port-forwards comment="Modoboa (SMTPS)" dst-port=465 protocol=tcp to-addresses=192.168.3.6 to-ports=465
add action=dst-nat chain=port-forwards comment="Modoboa (IMAP)" dst-port=143 protocol=tcp to-addresses=192.168.3.6 to-ports=143
add action=dst-nat chain=port-forwards comment="Modoboa (IMAPS)" dst-port=993 protocol=tcp to-addresses=192.168.3.6 to-ports=993
add action=dst-nat chain=port-forwards comment=Plex dst-port=32400 protocol=tcp to-addresses=192.168.3.109 to-ports=32400
add action=dst-nat chain=port-forwards comment=Minecraft dst-port=25565 protocol=tcp to-addresses=192.168.3.101 to-ports=25565
add action=dst-nat chain=port-forwards comment=Minecraft dst-port=25565 protocol=udp to-addresses=192.168.3.101 to-ports=25565
add action=dst-nat chain=port-forwards comment="pDNS AFXR (TCP)" dst-port=53 protocol=tcp to-addresses=192.168.3.122 to-ports=9053
add action=dst-nat chain=port-forwards comment="pDNS AFXR (UDP)" dst-port=53 protocol=udp to-addresses=192.168.3.122 to-ports=9053
add action=dst-nat chain=port-forwards comment=Portainer disabled=yes dst-port=888 protocol=tcp to-addresses=192.168.3.122 to-ports=9000
add action=dst-nat chain=port-forwards comment="BiglyBT (TCP)" dst-port=44769 protocol=tcp to-addresses=192.168.1.3 to-ports=44769
add action=dst-nat chain=port-forwards comment="BiglyBT (UDP)" dst-port=44769 protocol=udp to-addresses=192.168.1.3 to-ports=44769
add action=dst-nat chain=port-forwards comment="BiglyBT Remote" disabled=yes dst-port=48674 protocol=tcp to-addresses=192.168.1.3 to-ports=48674
add action=masquerade chain=lan-access comment="Printer Access" dst-address=192.168.5.2
add action=masquerade chain=lan-access comment="Masquerade Resolve Server" dst-address=192.168.1.251 src-address=!192.168.1.0/24
add action=accept chain=dns-redirection comment="Allow AGH out (UDP)" dst-port=53 protocol=udp src-address=192.168.0.7
add action=accept chain=dns-redirection comment="Allow AGH out (TCP)" dst-port=53 protocol=tcp src-address=192.168.0.7
add action=accept chain=dns-redirection comment="Allow PDNS out (UDP)" dst-port=53 protocol=udp src-address=192.168.3.122
add action=accept chain=dns-redirection comment="Allow PDNS out (TCP)" dst-port=53 protocol=tcp src-address=192.168.3.122
add action=dst-nat chain=dns-redirection comment="Force AGH usage (UDP)" dst-port=53 protocol=udp src-address=!192.168.0.7 to-addresses=192.168.0.7 to-ports=53
add action=dst-nat chain=dns-redirection comment="Force AGH usage (TCP)" dst-port=53 protocol=tcp src-address=!192.168.0.7 to-addresses=192.168.0.7 to-ports=53
/ip firewall raw
add action=drop chain=prerouting comment="Drop banned IPs in remote intrusion list" log-prefix="[DoS]" src-address-list=remote-intrusion
add action=accept chain=prerouting comment="defconf: enable for transparent firewall" disabled=yes
add action=accept chain=prerouting comment="defconf: accept DHCP discover" dst-address=255.255.255.255 dst-port=67 in-interface-list=LAN protocol=udp src-address=0.0.0.0 src-port=68
add action=drop chain=prerouting comment="defconf: drop bogon IP's" src-address-list=bad-ipv4
add action=drop chain=prerouting comment="defconf: drop bogon IP's" dst-address-list=bad-ipv4
add action=drop chain=prerouting comment="defconf: drop bogon IP's" src-address-list=bad-src-ipv4
add action=drop chain=prerouting comment="defconf: drop bogon IP's" dst-address-list=bad-dst-ipv4
add action=drop chain=prerouting comment="defconf: drop non global from WAN" in-interface-list=WAN src-address-list=not-global-ipv4
add action=drop chain=prerouting comment="defconf: drop bad UDP" port=0 protocol=udp
add action=jump chain=prerouting comment="defconf: jump to ICMP chain" jump-target=icmp4 protocol=icmp
add action=jump chain=prerouting comment="defconf: jump to TCP chain" jump-target=bad-tcp protocol=tcp
add action=accept chain=prerouting comment="defconf: accept everything else from LAN" in-interface-list=LAN
add action=accept chain=prerouting comment="defconf: accept everything else from WAN" in-interface-list=WAN
add action=accept chain=icmp4 comment="defconf: echo reply" icmp-options=0:0 limit=5,10:packet protocol=icmp
add action=accept chain=icmp4 comment="defconf: net unreachable" icmp-options=3:0 protocol=icmp
add action=accept chain=icmp4 comment="defconf: host unreachable" icmp-options=3:1 protocol=icmp
add action=accept chain=icmp4 comment="defconf: protocol unreachable" icmp-options=3:2 protocol=icmp
add action=accept chain=icmp4 comment="defconf: port unreachable" icmp-options=3:3 protocol=icmp
add action=accept chain=icmp4 comment="defconf: fragmentation needed" icmp-options=3:4 protocol=icmp
add action=accept chain=icmp4 comment="defconf: echo" icmp-options=8:0 protocol=icmp
add action=accept chain=icmp4 comment="defconf: time exceeded" icmp-options=11:0-255 protocol=icmp
add action=drop chain=icmp4 comment="defconf: drop other" protocol=icmp
add action=drop chain=bad-tcp comment="defconf: TCP flag filter" protocol=tcp tcp-flags=!fin,!syn,!rst,!ack
add action=drop chain=bad-tcp comment="defconf: drop fin,syn" protocol=tcp tcp-flags=fin,syn
add action=drop chain=bad-tcp comment="defconf: drop fin,rst" protocol=tcp tcp-flags=fin,rst
add action=drop chain=bad-tcp comment="defconf: drop fin,!ack" protocol=tcp tcp-flags=fin,!ack
add action=drop chain=bad-tcp comment="defconf: drop fin,urg" protocol=tcp tcp-flags=fin,urg
add action=drop chain=bad-tcp comment="defconf: drop syn,rst" protocol=tcp tcp-flags=syn,rst
add action=drop chain=bad-tcp comment="defconf: drop rst,urg" protocol=tcp tcp-flags=rst,urg
add action=drop chain=bad-tcp comment="defconf: TCP port 0 drop" port=0 protocol=tcp
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip route
add comment="Delta IPTV" disabled=no distance=1 dst-address=62.45.57.36/32 gateway=delta-vlan100 pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add comment="Delta VoIP" disabled=no distance=1 dst-address=62.45.58.162/32 gateway=10.224.192.1 pref-src=0.0.0.0 routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add comment="Delta VoIP" disabled=no distance=1 dst-address=62.45.58.180/32 gateway=10.224.192.1 pref-src=0.0.0.0 routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add comment="Delta VoIP" disabled=no distance=1 dst-address=62.45.59.36/32 gateway=10.224.192.1 pref-src=0.0.0.0 routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add comment="Delta VoIP" disabled=no distance=1 dst-address=62.45.59.50/32 gateway=10.224.192.1 pref-src=0.0.0.0 routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add comment="Delta VoIP" disabled=no distance=1 dst-address=62.45.60.3/32 gateway=10.224.192.1 pref-src=0.0.0.0 routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add comment="Delta VoIP" disabled=no distance=1 dst-address=62.45.60.2/32 gateway=10.224.192.1 pref-src=0.0.0.0 routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add comment="Delta IPTV" disabled=no dst-address=62.45.57.34/32 gateway=10.188.168.1 routing-table=main suppress-hw-offload=no
add comment="Delta IPTV" disabled=no distance=1 dst-address=62.45.57.0/24 gateway=10.188.168.1 pref-src=0.0.0.0 routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add comment="Delta IPTV" disabled=no distance=1 dst-address=62.45.61.64/28 gateway=10.188.168.1 pref-src=0.0.0.0 routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add comment="Delta IPTV" disabled=no distance=1 dst-address=62.45.76.0/24 gateway=10.188.168.1 pref-src=0.0.0.0 routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add comment="Delta IPTV" disabled=no distance=1 dst-address=62.45.58.226/32 gateway=10.188.168.1 pref-src=0.0.0.0 routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add comment="Delta IPTV" disabled=no distance=1 dst-address=62.45.45.150/32 gateway=10.188.168.1 pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add comment="Delta IPTV" disabled=no distance=1 dst-address=62.45.49.0/24 gateway=10.188.168.1 pref-src=0.0.0.0 routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add comment="Delta IPTV" disabled=no distance=1 dst-address=212.115.196.0/25 gateway=10.188.168.1 pref-src=0.0.0.0 routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add comment="Delta IPTV" disabled=no distance=1 dst-address=217.63.90.128/25 gateway=10.188.168.1 pref-src=0.0.0.0 routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add comment="Delta IPTV" disabled=no distance=1 dst-address=62.45.61.16/28 gateway=10.188.168.1 pref-src=0.0.0.0 routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add comment="Delta IPTV" disabled=no distance=1 dst-address=62.45.61.32/27 gateway=10.188.168.1 pref-src=0.0.0.0 routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add comment="Delta IPTV" disabled=no distance=1 dst-address=217.102.255.57/32 gateway=10.188.168.1 pref-src=0.0.0.0 routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add comment="Delta IPTV" disabled=no dst-address=217.63.91.0/26 gateway=10.188.168.1 routing-table=main suppress-hw-offload=no
add comment="Delta IPTV" disabled=no dst-address=62.45.59.0/24 gateway=10.188.168.1 routing-table=main suppress-hw-offload=no
add comment="Delta IPTV (Undocumented)" disabled=no distance=1 dst-address=62.45.158.17/32 gateway=10.188.168.1 routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add comment="Delta IPTV (Undocumented)" disabled=no distance=1 dst-address=62.45.158.29/32 gateway=10.188.168.1 routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add comment="Delta IPTV (Undocumented)" disabled=no distance=1 dst-address=62.45.158.13/32 gateway=10.188.168.1 routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add comment="Delta IPTV (Undocumented)" disabled=no distance=1 dst-address=62.45.158.15/32 gateway=10.188.168.1 routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add comment="Delta IPTV (Undocumented)" disabled=no distance=1 dst-address=62.45.158.27/32 gateway=10.188.168.1 routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add comment="Delta IPTV (Undocumented)" disabled=no distance=1 dst-address=62.45.158.11/32 gateway=10.188.168.1 routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=192.168.1.0/24
set www-ssl address=192.168.1.0/24 certificate=webfig disabled=no
set api address=192.168.1.0/24,192.168.3.0/24,192.168.0.0/24
set winbox address=192.168.1.0/24,192.168.0.0/24,192.168.254.0/24
set api-ssl address=10.0.0.0/8,192.168.1.0/24 certificate=*10 disabled=yes
/ip smb shares
set [ find default=yes ] directory=/pub
/radius
add address=192.168.0.7 service=login
/routing igmp-proxy
set quick-leave=yes
/routing rule
add action=lookup-only-in-table disabled=yes src-address=192.168.5.241/32 table=*400
/snmp
set enabled=yes trap-version=3
/system clock
set time-zone-autodetect=no time-zone-name=Europe/Amsterdam
/system health settings
set fan-control-interval=10s fan-min-speed-percent=0% fan-target-temp=60C
/system identity
set name=CCR2004-1G-12S+2XS
/system logging
set 0 topics=info,!dhcp
set 3 action=memory
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp server
set local-clock-stratum=3
/system ntp client servers
add address=192.168.0.7
/system resource irq rps
set mgmt disabled=no
/system routerboard settings
set boot-delay=1s
/tool bandwidth-server
set authenticate=no enabled=no
/tool graphing
set store-every=24hours
/tool netwatch
add comment=CRS317-1G-16S+ disabled=no down-script="" host=192.168.0.2 http-codes="" interval=1m test-script="" timeout=1s type=simple up-script=""
add comment=CRS326-24G-2S+ disabled=no down-script="" host=192.168.0.3 http-codes="" interval=1m test-script="" timeout=1s type=simple up-script=""
add comment="AP Attic" disabled=no down-script="" host=192.168.0.5 http-codes="" interval=1m packet-count=4 packet-interval=20ms test-script="" timeout=1s type=simple up-script=""
add comment="AP Parents" disabled=no down-script="" host=192.168.0.6 http-codes="" interval=1m test-script="" thr-loss-percent=50% timeout=1s type=simple up-script=""
add comment=RB5009UG+S+ disabled=no down-script="" host=192.168.0.7 http-codes="" interval=1m test-script="" timeout=1s type=simple up-script=""
add comment="Switch Bedroom" disabled=no down-script="" host=192.168.0.9 http-codes="" interval=1m test-script="" timeout=1s type=simple up-script=""
/tool romon
set enabled=yes id=2C:C8:1B:39:8D:BD
/user aaa
set default-group=disallow use-radius=yes

And the CRS326:

# 2025-02-07 17:40:46 by RouterOS 7.14.2
# software id = REDACTED
#
# model = CRS326-24G-2S+
# serial number = REDACTED
/interface bridge
add admin-mac=B8:69:F4:8C:A1:06 auto-mac=no ingress-filtering=no name=bridge port-cost-mode=short vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment=bonding1-slave
set [ find default-name=ether2 ] comment=bonding1-slave
set [ find default-name=ether3 ] comment="Richthoven (MOBO1)"
set [ find default-name=ether4 ] comment=finlay-aspire3
set [ find default-name=ether5 ] comment="Isoroku IPMI"
set [ find default-name=ether6 ] comment=RB5009UG+S+IN
set [ find default-name=ether7 ] comment="Local DNS"
set [ find default-name=ether8 ] comment="User Manager"
set [ find default-name=ether9 ] comment="AP Attic"
set [ find default-name=ether10 ] comment="AP Parents"
set [ find default-name=ether11 ] comment="Switch Bedroom"
set [ find default-name=sfp-sfpplus1 ] comment=CCR2004-1G-12S+2XS
set [ find default-name=sfp-sfpplus2 ] comment=CRS317-1G-16S+
/interface vlan
add interface=bridge name=vlan1000 vlan-id=1000
/interface bonding
add comment="Isoroku (gigabit + mgmt)" mode=802.3ad name=bonding1 slaves=ether1,ether2 transmit-hash-policy=layer-2-and-3
/interface ethernet switch
set 0 l3-hw-offloading=yes
/interface list
add name=Neighbours
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip smb users
set [ find default=yes ] disabled=yes
/port
set 0 name=serial0
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/user group
add name=mktxp policy=read,api,!local,!telnet,!ssh,!ftp,!reboot,!write,!policy,!test,!winbox,!password,!web,!sniff,!sensitive,!romon,!rest-api
add name=disallow
/interface bridge port
add bridge=bridge comment=defconf disabled=yes ingress-filtering=no interface=ether1 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf disabled=yes ingress-filtering=no interface=ether2 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=no interface=ether3 internal-path-cost=10 path-cost=10 pvid=10
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=no interface=ether4 internal-path-cost=10 path-cost=10 pvid=10
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=no interface=ether5 internal-path-cost=10 path-cost=10 pvid=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether6 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether7 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether8 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether9 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether10 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether11 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether12 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether13 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether14 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether15 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether16 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether17 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether18 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether19 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether20 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=no interface=ether21 internal-path-cost=10 path-cost=10 pvid=1005
add bridge=bridge comment=defconf ingress-filtering=no interface=ether22 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether23 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether24 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=sfp-sfpplus1 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=sfp-sfpplus2 internal-path-cost=10 path-cost=10
add bridge=bridge ingress-filtering=no interface=bonding1 internal-path-cost=10 path-cost=10 pvid=30
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=Neighbours
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes
/interface bridge vlan
add bridge=bridge tagged=sfp-sfpplus1,sfp-sfpplus2,bridge,ether9,ether10,ether11 vlan-ids=1005
add bridge=bridge tagged=sfp-sfpplus1,sfp-sfpplus2,bridge,bonding1,ether9,ether10 untagged=ether4,ether5,ether3 vlan-ids=10
add bridge=bridge tagged=sfp-sfpplus1,sfp-sfpplus2,bridge untagged=bonding1 vlan-ids=30
add bridge=bridge tagged=bridge,sfp-sfpplus1,sfp-sfpplus2,ether9,ether10 vlan-ids=1002
add bridge=bridge tagged=bridge,sfp-sfpplus1,sfp-sfpplus2,ether9,ether10 vlan-ids=1255
add bridge=bridge tagged=sfp-sfpplus1,sfp-sfpplus2,bridge,bonding1,ether9,ether10 untagged=ether4,ether5,ether3 vlan-ids=1001
add bridge=bridge tagged=bridge,sfp-sfpplus1,sfp-sfpplus2,ether6,ether7,ether8,ether9,ether10,ether11 vlan-ids=1000
/interface list member
add interface=vlan1000 list=Neighbours
/ip dhcp-client
add interface=vlan1000
/ip smb shares
set [ find default=yes ] directory=/flash/pub
/radius
add address=192.168.0.7 service=login
/routing bfd configuration
add disabled=no interfaces=all min-rx=200ms min-tx=200ms multiplier=5
/system clock
set time-zone-autodetect=no time-zone-name=Europe/Amsterdam
/system identity
set name=CRS326-24G-2S+
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system routerboard settings
set boot-os=router-os
/system swos
set allow-from-ports=p25,p26 identity=CRS326-24G-2S+ static-ip-address=192.168.0.3
/tool romon
set enabled=yes id=B8:69:F4:8C:A1:06
/tool sniffer
set filter-mac-address=D0:50:99:F1:92:82/FF:FF:FF:FF:FF:FF
/user aaa
set default-group=disallow use-radius=yes

And CRS317:

# 2025-02-07 17:40:08 by RouterOS 7.14.2
# software id = REDACTED
#
# model = CRS317-1G-16S+
# serial number = REDACTED
/interface bridge
add admin-mac=2C:C8:1B:2F:B9:CB auto-mac=no ingress-filtering=no name=bridge \
    port-cost-mode=short vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] l2mtu=1592
set [ find default-name=sfp-sfpplus1 ] comment=CCR2004-1G-12S+2XS l2mtu=1592
set [ find default-name=sfp-sfpplus2 ] comment=CRS326-24G-2S+ l2mtu=1592
set [ find default-name=sfp-sfpplus3 ] comment=Richthoven l2mtu=1592
set [ find default-name=sfp-sfpplus4 ] comment=Isoroku l2mtu=1592
set [ find default-name=sfp-sfpplus5 ] comment=RB5009UG+S+IN l2mtu=1592
set [ find default-name=sfp-sfpplus6 ] l2mtu=1592
set [ find default-name=sfp-sfpplus7 ] l2mtu=1592
set [ find default-name=sfp-sfpplus8 ] l2mtu=1592
set [ find default-name=sfp-sfpplus9 ] l2mtu=1592
set [ find default-name=sfp-sfpplus10 ] l2mtu=1592
set [ find default-name=sfp-sfpplus11 ] l2mtu=1592
set [ find default-name=sfp-sfpplus12 ] l2mtu=1592
set [ find default-name=sfp-sfpplus13 ] l2mtu=1592
set [ find default-name=sfp-sfpplus14 ] l2mtu=1592
set [ find default-name=sfp-sfpplus15 ] l2mtu=1592
set [ find default-name=sfp-sfpplus16 ] l2mtu=1592
/interface vlan
add interface=bridge name=vlan1000 vlan-id=1000
/interface ethernet switch
set 0 l3-hw-offloading=yes
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip smb users
set [ find default=yes ] disabled=yes
/port
set 0 name=serial0
/user group
add name=mktxp policy="read,api,!local,!telnet,!ssh,!ftp,!reboot,!write,!policy,\
    !test,!winbox,!password,!web,!sniff,!sensitive,!romon,!rest-api"
add name=disallow
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=sfp-sfpplus1 \
    internal-path-cost=10 path-cost=10 trusted=yes
add bridge=bridge comment=defconf ingress-filtering=no interface=sfp-sfpplus2 \
    internal-path-cost=10 path-cost=10 trusted=yes
add bridge=bridge comment=defconf ingress-filtering=no interface=sfp-sfpplus3 \
    internal-path-cost=10 path-cost=10 pvid=10
add bridge=bridge comment=defconf ingress-filtering=no interface=sfp-sfpplus4 \
    internal-path-cost=10 path-cost=10 pvid=30
add bridge=bridge comment=defconf interface=sfp-sfpplus5 internal-path-cost=10 \
    path-cost=10
add bridge=bridge comment=defconf interface=sfp-sfpplus6 internal-path-cost=10 \
    path-cost=10
add bridge=bridge comment=defconf interface=sfp-sfpplus7 internal-path-cost=10 \
    path-cost=10
add bridge=bridge comment=defconf interface=sfp-sfpplus8 internal-path-cost=10 \
    path-cost=10
add bridge=bridge comment=defconf interface=sfp-sfpplus9 internal-path-cost=10 \
    path-cost=10
add bridge=bridge comment=defconf interface=sfp-sfpplus10 internal-path-cost=10 \
    path-cost=10
add bridge=bridge comment=defconf interface=sfp-sfpplus11 internal-path-cost=10 \
    path-cost=10
add bridge=bridge comment=defconf interface=sfp-sfpplus12 internal-path-cost=10 \
    path-cost=10
add bridge=bridge comment=defconf interface=sfp-sfpplus13 internal-path-cost=10 \
    path-cost=10
add bridge=bridge comment=defconf interface=sfp-sfpplus14 internal-path-cost=10 \
    path-cost=10
add bridge=bridge comment=defconf interface=sfp-sfpplus15 internal-path-cost=10 \
    path-cost=10
add bridge=bridge comment=defconf interface=sfp-sfpplus16 internal-path-cost=10 \
    path-cost=10
/ip firewall connection tracking
set enabled=no udp-timeout=10s
/interface bridge vlan
add bridge=bridge tagged=\
    bridge,sfp-sfpplus1,sfp-sfpplus2,sfp-sfpplus4,sfp-sfpplus5 untagged=\
    sfp-sfpplus3 vlan-ids=10
add bridge=bridge tagged=bridge,sfp-sfpplus1,sfp-sfpplus2,sfp-sfpplus3 \
    untagged=sfp-sfpplus4 vlan-ids=30
add bridge=bridge tagged=bridge,sfp-sfpplus1,sfp-sfpplus2,sfp-sfpplus5 \
    vlan-ids=1002
add bridge=bridge tagged=bridge,sfp-sfpplus1,sfp-sfpplus2,sfp-sfpplus5 \
    vlan-ids=1005
add bridge=bridge tagged=bridge,sfp-sfpplus1,sfp-sfpplus2,sfp-sfpplus5 \
    vlan-ids=1255
add bridge=bridge tagged=\
    bridge,sfp-sfpplus1,sfp-sfpplus2,sfp-sfpplus4,sfp-sfpplus5 untagged=\
    sfp-sfpplus3 vlan-ids=1001
add bridge=bridge tagged=sfp-sfpplus1,sfp-sfpplus2,sfp-sfpplus5,bridge \
    vlan-ids=1000
/ip dhcp-client
add interface=vlan1000
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set api-ssl disabled=yes
/ip smb shares
set [ find default=yes ] directory=/flash/pub
/radius
add address=192.168.0.7 service=login
/system clock
set time-zone-autodetect=no time-zone-name=Europe/Amsterdam
/system health settings
set fan-control-interval=5s fan-min-speed-percent=0% fan-target-temp=60C
/system identity
set name=CRS317-1G-16S+
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system routerboard settings
set boot-os=router-os
/system swos
set allow-from-ports=p1,p2 allow-from-vlan=99 identity=CRS317-1G-16S+ \
    static-ip-address=192.168.0.2
/tool bandwidth-server
set authenticate=no enabled=no
/tool romon
set enabled=yes id=2C:C8:1B:2F:B9:CB
/tool sniffer
set filter-vlan=10
/user aaa
set default-group=disallow use-radius=yes

Hopefully this is good?

one minor side-note: It says VLAN10 and VLAN30 here while in my original question I used VLAN1001 and VLAN1003, this is because when I make the entire migration, I want to move VLAN10 to 1001 and VLAN30 to VLAN1003, hence the discrepancy.

Definite progress, thank you. By now you’ve seen this forum is doesn’t handle code blocks consistently.
Please edit last post to add a blank line or two above code block begin and below code block close.

All exports start with comment lines, first is device model (not sensitive) and third is serial number (redact).
Leaving first two comment lines improves recognition significantly as do the extra blank lines surrounding code blocks.

Edited the blocks.
They looked fine for me (for some reason, I had the old phpBB layout) but I’ve swapped to the “normal” layout to see if it worked (and will just stick to that, I don’t know why it swapped).

Also added the comment blocks you asked for, sans software ID and serial number.

OK, I see enough to draft a CRS309 configuration; that could be a further discussion starting point.
But it occurred to me CRS309 has L3HW Offload idiosyncrasies that must be kept front and center for best results.
We can work on improving current configurations prior to diving into the future.
Do you have a preference on where you prefer to go next?

1. Question: Is the same pool for two different DCHP vlan servers intentional??

/ip dhcp-server
add add-arp=yes address-pool=vlan10 interface=vlan10 lease-time=10m name=vlan10
add add-arp=yes address-pool=vlan1255 interface=vlan1255 lease-time=10m name=vlan1255
add add-arp=yes address-pool=vlan1002 interface=vlan1002 lease-time=10m name=vlan1002
add add-arp=yes address-pool=vlan30 interface=vlan30 lease-time=10m name=vlan30
add add-arp=yes address-pool=vlan1005 interface=vlan1005 lease-time=10m name=vlan1005
add add-arp=yes address**-pool=vlan10** interface=vlan1001 lease-time=10m name=vlan1001
add add-arp=yes address-pool=vlan1000 interface=vlan1000 lease-time=10m name=vlan1000

2. Any particular reason you need to use bridge filtering vice normal filter rules ( forward and input chain ) ???
   /interface bridge settings
   set use-ip-firewall-for-vlan=yes ???

3. Recommend you set this to none, as its known to cause weird issues.
   /interface detect-internet
   set internet-interface-list=WAN lan-interface-list=LAN wan-interface-list=WAN

4. The complexity of your config grows with each line, you have much queueing but then have a plethora of fast track rules.
   Suggesting fastrack may not be compatible to use??? Somebody use to complex would be better qualified to comment.

5. Many firewall rules are bloatware and should be removed, would stick to defaults and then add traffic needed. It would seem your focus
   is blocking traffic vice simply allowing only needed traffic.

Cannot help much more on the router side.
+++++++++++++++++++++++++++++++++++++++++++++++

6. As for the switches, the main error I see is that all vlan-ids are tagged with the bridge in /interface bridge vlan settings.
   ONLY the vlan-id=1000 should be tagged for the bridge.

I do not know what oddities I’d have to deal with with the CRS309?
I could opt for a CRS310 instead if that would be less of a headache?
Or maybe another one of those CRS317’s Altho that would be stretching the budget quite hard (I’d like to stay below 300 bucks).

Yes, I was in the progress of moving VLAN10 to VLAN1000 but got distracted by something and haven’t found the time to finish that bit of migration yet.

No particular reason, I very likely followed some guide or something while doing that.
It was my first time using VLANs (so I might have made a bunch of mistakes here and there) but since it was almost 2 years ago, I can’t exactly remember what I did.
Can I just disable that setting (“use-ip-firewall-for-vlan=no”)?

Fixed.

The queueing is just how fast clients (eg. my desktop or my parent’s their devices) can go when trying to do stuff on the WAN.
The FT rules are for the IPTV and landline/VoIP (which run on a separate VLANs to the ISP and don’t count towards my transfer speed), as well as some DNS-related stuff (which should just get through ASAP); Hence they are fasttracked to lower resource usage (at least, that’s the idea).

I think you mean the things like the lan-access chain and the detect-remote-intrusion chains?
A lot of the rules could be considered “bloatware”, although I have them in there mostly to make it easier for me to follow what is going on (I mostly use WinBox).
So unless they hurt performance really badly (or otherwise cause major issues), I’d prefer to keep them there.

So you mean that only outgoing ports (not those that face the client itself) need to be tagged?
So is say “sfp-sfpplus1” goes to my router and “sfp-sfpplus2” goes to my client, only “sfp-sfpplus1” needs to have the tag?

Vlan1000 is your management or trusted vlan as all smart devices get their IP address on that vlan, and all the other vlans have nothing to do with the bridge.
Coming in tagged on etherX and then going out either tagged or untagged on the rest of the switch ports.

Ahh, I see.
I’ll try to poke around with it this weekend to see if stuff breaks or not.
Already was kind of wondering about it in the past given how “unscalable” it felt, just never really played around with it.

Thank you for working with @anav which has saved us time by pointing out current configurations have room for improvement and will affect new intermediate switch at firewall level so I suggest let’s get current firewall(s) relatively clean before writing a new switch draft configuration.

I see a misunderstanding here; let’s get up to speed on MikroTik Product+Naming, in particular read sections:

• CloudCoreRouter naming details
• CloudRouterSwitch and CloudSmartSwitch naming details

CCR products are classic routers deriving their routing performance from robust CPU designs. - Outstanding routers, meh switches.
CSS products are classic switches deriving their switching performance from robust switch chip designs. - Outstanding switches, weak routers.
CRS products are hybrid designs with CSS level CPU and CSS level switch chip capabilities with Layer 3 Hardware Offloading features. - Outstanding switches but good routers only within model specific constraints.

IMO reviewing Switch Chip Features is worthwhile and in particular drill deep into:

• CRS3xx, CRS5xx, CCR2116, CCR2216 switch chip features section Models to learn specific switch chip model numbers corresponding to the CRS3xx products under consideration.
• Review carefully TCAM references in L3 Hardware Offloading then scroll down this page and match up switch chip model numbers in the following sections:
• L3HW Feature Support - IMO the critical table on that page.
  • L3HW Device Support
    • CRS3xx: Switch DX3000 and DX2000 Series
    • CRS3xx, CRS5xx: Switch DX8000 and DX4000 Series

Switch chip TCAM memory varies substantially and is a limiting factor in maintaining L3HW Offload wire speed performance.
TL;DR change from CRS309 to any CRSxxx product changes nothing qualitatively, only quantities at which pain points arise vary.
I have not drilled into currently posted configurations but will do so and follow up with additional posts as discoveries merit.

I have looked at the table but I couldn’t really make out from it was was important and what wasn’t (in-fact, if it wasn’t for you mentioning the TCAM memory, I wouldn’t have known it existed).
I don’t use IPv6, so that should “save” me a lot of resources.
Seems like the CRS310 I proposed doesn’t support FT offloading, so it seems that that won’t do then? Am I correct?

Define FT please.

FastTrack

Thank you.

Agreed, per CRS3xx: Switch DX3000 and DX2000 Series CRS310 does not hardware offload Fasttrack nor NAT whereas CRS309 per CRS3xx, CRS5xx: Switch DX8000 and DX4000 Series can hardware offloat Fasttrack and NAT but that is not a recommendation as all devices there are TCAM constrained as each HW FT connection uses TCAM.

Consider instead if current LAN to LAN firewall rules can be substituted with Switch Rules (ACL) per section Stateless Hardware Firewall and if so then you have CCR2004 downtime affecting only WAN links and not LAN links assuming all required Switch Rules fit within device TCAM limits.

IMO the device constraining issues surrounding your request are now exposed in this topic. Skills demonstrated so far suggest capability to self service the request are within reach once device specific issues are understood. Let’s continue the design discussion and decide later if configuration drafting is still an attractive play.

Oh yes, they very likely can.
The firewall rules are just there because the CCR2004 doesn’t have that feature.
They would very likely fit within the limits (my network isn’t anything insane, just think small homelab)?

I appreciate all the help so far tho!

Oops, I’m late in reading existing device details. Please note CRS317 is more capable than CRS309 which is more capable than CRS310,

Consider moving CRS310 to CCR2004 connections downstream of the CRS317 and deploy L3 HW routing with a Stateless Hardware Firewall on CRS317.

Ok so, viewing from the WAN side (incoming from ISP):

• ISP
• CCR2004
• CRS317
• CRS309* + CRS326

CRS310 only has 4 SFP+ ports, which isn’t enough, CRS309 would have enough ports for the foreseeable future while still giving me options to expand.
Would moving the CRS309 down 1 step be a big improvement?
From what I can tell, the biggest differences are just the amount of ports and the amount of RAM (and an RS232 port wh_iiiiii_ch I never really use)?