Difficulties with VLAN setup -- help requested

netman · December 8, 2023, 11:58pm

Good evening everyone,

I’ve been struggling to get VLANs set up on my home network for about a week now, and after trying several different techniques I think I discovered the correct way, but things aren’t working. I’ve already read the following posts:
http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1
http://forum.mikrotik.com/t/dhcp-in-vlans-not-working-on-ccr2004/161900/1
http://forum.mikrotik.com/t/routeros-bridge-mysteries-explained/147832/1

Unfortunately, while it seems as though I’ve gotten the bridge and VLANs set up properly (including tagging the vlan bridge), I cannot get dhcp addresses and I believe there is a problem.

Current config:

# 2023-12-08 18:28:07 by RouterOS 7.12


# model = RB750Gr3

/interface bridge
add name=VLAN_BRIDGE protocol-mode=none
add name=mgmt-vlan
/interface ethernet
set [ find default-name=ether3 ] name=ether3-access
/interface vlan
add interface=VLAN_BRIDGE name=IOT_vlan40 vlan-id=40
add interface=VLAN_BRIDGE name=guest_vlan60 vlan-id=60
add interface=VLAN_BRIDGE name=management_vlan99 vlan-id=99
add interface=VLAN_BRIDGE name=services_vlan20 vlan-id=20
add interface=VLAN_BRIDGE name=trusted_devices_vlan50 vlan-id=50
/interface list
add name=listBridge
add name=WAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool2 ranges="ISP provided wan IP"
add name=dhcp_pool9 ranges=192.168.0.2-192.168.0.254
add name=dhcp_pool10 ranges=10.10.100.2-10.10.100.254
add name=dhcp_pool16 ranges=10.10.20.2-10.10.20.254
add name=dhcp_pool17 ranges=10.10.40.2-10.10.40.254
add name=dhcp_pool18 ranges=10.10.50.2-10.10.50.254
add name=dhcp_pool19 ranges=10.10.60.2-10.10.60.254
add name=dhcp_pool20 ranges=10.10.99.2-10.10.99.254
add name=dhcp_pool21 ranges=10.10.10.2-10.10.10.254
/ip dhcp-server
add address-pool=dhcp_pool10 interface=mgmt-vlan name=dhcp7
add address-pool=dhcp_pool16 interface=services_vlan20 name=dhcp2
add address-pool=dhcp_pool17 interface=IOT_vlan40 name=dhcp3
add address-pool=dhcp_pool18 interface=trusted_devices_vlan50 name=dhcp4
add address-pool=dhcp_pool19 interface=guest_vlan60 name=dhcp5
add address-pool=dhcp_pool20 interface=management_vlan99 name=dhcp6
/port
set 0 name=serial0
/interface bridge port
add bridge=VLAN_BRIDGE interface=ether2 pvid=99
add bridge=mgmt-vlan interface=ether3-access trusted=yes
add bridge=VLAN_BRIDGE interface=ether4 pvid=20
add bridge=VLAN_BRIDGE interface=ether5 pvid=20
/ip neighbor discovery-settings
set discover-interface-list=listBridge
/interface bridge vlan
add bridge=VLAN_BRIDGE tagged=VLAN_BRIDGE,ether2 untagged=ether5 vlan-ids=20
add bridge=VLAN_BRIDGE tagged=VLAN_BRIDGE,ether2 vlan-ids=40
add bridge=VLAN_BRIDGE tagged=VLAN_BRIDGE,ether2 vlan-ids=50
add bridge=VLAN_BRIDGE tagged=VLAN_BRIDGE,ether2 vlan-ids=60
add bridge=VLAN_BRIDGE tagged=VLAN_BRIDGE,ether2 vlan-ids=99
/interface list member
add interface=*7 list=listBridge
add interface=ether1 list=WAN
/ip address
add address=10.10.99.1/24 interface=management_vlan99 network=10.10.99.0
add address=10.10.20.1/24 interface=services_vlan20 network=10.10.20.0
add address=10.10.40.1/24 interface=IOT_vlan40 network=10.10.40.0
add address=10.10.50.1/24 interface=trusted_devices_vlan50 network=10.10.50.0
add address=10.10.60.1/24 interface=guest_vlan60 network=10.10.60.0
add address=10.10.100.1/24 interface=ether3-access network=10.10.100.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=15m
/ip cloud advanced
set use-local-address=yes
/ip dhcp-client
add interface=ether1
/ip dhcp-server network
add address=10.10.10.0/24 dns-server=1.1.1.1 gateway=10.10.10.1
add address=10.10.20.0/24 gateway=10.10.20.1
add address=10.10.40.0/24 gateway=10.10.40.1
add address=10.10.50.0/24 gateway=10.10.50.1
add address=10.10.60.0/24 gateway=10.10.60.1
add address=10.10.99.0/24 dns-server=1.1.1.1 gateway=10.10.99.1
add address=10.10.100.0/24 gateway=10.10.100.1
add address=192.168.0.0/24 gateway=192.168.0.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1
/ip firewall address-list
add address=10.10.10.1-10.10.254.254 list=allowed-to-router
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=\
    not_in_internet
/ip firewall filter
add action=accept chain=input comment="allow wireguard" dst-port=13231 \
    in-interface-list=WAN protocol=udp
add action=accept chain=input dst-port=13232 in-interface-list=WAN protocol=udp
add action=accept chain=input dst-port=13233 in-interface-list=WAN protocol=udp
add action=accept chain=input comment="allow wireguard traffic" disabled=yes \
    src-address=192.168.100.0/24
add action=accept chain=input comment="accept established,related" \
    connection-state=established,related
add action=drop chain=input connection-state=invalid
add action=drop chain=input comment="allow ICMP" disabled=yes in-interface=\
    ether1 protocol=icmp
add action=drop chain=input comment="allow Winbox" in-interface=ether1 port=\
    8291 protocol=tcp
add action=drop chain=input comment="allow SSH" in-interface=ether1 port=22 \
    protocol=tcp
add action=drop chain=input comment="block everything else" in-interface=ether1
add action=fasttrack-connection chain=forward comment=\
    "fast-track for established,related" connection-state=established,related \
    hw-offload=yes
add action=drop chain=forward connection-state=invalid
add action=drop chain=forward comment=\
    "drop access to clients behind NAT from WAN" connection-nat-state=!dstnat \
    connection-state=new in-interface=ether1
add action=accept chain=input src-address-list=allowed-to-router
add action=accept chain=forward comment="Established, Related" \
    connection-state=established,related
add action=drop chain=forward comment="Drop invalid" connection-state=invalid \
    log=yes log-prefix=invalid
add action=jump chain=forward comment="jump to ICMP filters" jump-target=icmp \
    protocol=icmp
add action=drop chain=forward comment=\
    "Drop incoming from internet which is not public IP" in-interface=ether1 \
    log=yes log-prefix=!public src-address-list=not_in_internet
add action=accept chain=icmp comment="echo reply" icmp-options=0:0 protocol=\
    icmp
add action=accept chain=icmp comment="net unreachable" icmp-options=3:0 \
    protocol=icmp
add action=accept chain=icmp comment="host unreachable" icmp-options=3:1 \
    protocol=icmp
add action=accept chain=icmp comment="host unreachable fragmentation required" \
    icmp-options=3:4 protocol=icmp
add action=accept chain=icmp comment="allow echo request" icmp-options=8:0 \
    protocol=icmp
add action=accept chain=icmp comment="allow time exceed" icmp-options=11:0 \
    protocol=icmp
add action=accept chain=icmp comment="allow parameter bad" icmp-options=12:0 \
    protocol=icmp
add action=drop chain=icmp comment="deny all other types"
add action=drop chain=input disabled=yes dst-port=8291 in-interface=\
    all-ethernet protocol=tcp
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ipv6 firewall address-list
add address=fe80::/64 list=allowed
add address=fe80::/16 list=allowed
add address=ff02::/16 comment=multicast list=allowed
/ipv6 firewall filter
add action=accept chain=input comment="allow established and related" \
    connection-state=established,related
add action=accept chain=input comment="accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment="accept DHCPv6-Client prefix delegation." \
    dst-port=546 protocol=udp src-address=fe80::/16
add action=accept chain=input comment="allow allowed addresses" \
    src-address-list=allowed
add action=drop chain=input
add action=accept chain=forward comment=established,related connection-state=\
    established,related
add action=drop chain=forward comment=invalid connection-state=invalid log=yes \
    log-prefix=ipv6,invalid
add action=drop chain=forward log-prefix=IPV6
/system clock
set time-zone-name=America/New_York
/system note
set show-at-login=no
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=listBridge
/tool mac-server mac-winbox
set allowed-interface-list=listBridge

I have the WAN coming in ether1, a trunk port for ether2, a management interface on ether3, and want an access port for vlan 20 on ether5. I’m expecting the TP-LINK TL-SG108E to pick up an IP from the management vlan99 (PVID 99 on ether2), but it does not. Neither does the device on ether5, which should pick up an IP from vlan20. I haven’t enabled vlan filtering yet, since I just want to make sure DHCP works first.

I’m not sure if it’s the firewall rules causing issues, or if I made another mistake, but I appreciate anyone’s help to get things configured properly. Thank you in advance!

anav · December 9, 2023, 2:20am

(1) Turn on vlan-filtering=yes

(2) WHY DO YOU HAVE A mgm-vlan bridge??? GET RID OF THIS, its not needed.

(3) WHAT THE HECK is the comment here
add name=dhcp_pool2 ranges="ISP provided wan IP"

What does internal LAN or VLAN pool have anything to do with the WAN side ???

Why are there 8 real pools and only 5 VLANS???
If you need 8 separate groups of users, then make 8 vlans!

You have 6 dchp servers and yet you have 5 vlans… Nothing and I mean nothing adds up on your config…

(4) Your statement I have a trunk port on ether2 and then you have this for a rule… Tells me you dont actually understand MT RoS and more importantly that you need to go back to the first article and spend more time studying it!!!
/interface bridge port
add bridge=VLAN_BRIDGE interface=ether2 pvid=99

(5) Why is ether3 associated with a bridge… Dump this bridge and if you want that as an available port simply assign the address to the port directly as you have done already,
No need to create the bridge for it…

(6) 8 addresses and only 5 vlans and one ether2 subnet… whats with the extra 2 subnets??

(7) Where is your address for wireguard??

(8) Why do you have three wireguard rules with dst ports in the INPUT chain??

(9) Something wrong with your entry here to cause the *7 ???
add interface /interface list member
add interface=*7 list=listBridge=ether1 list=WAN

(10) Dont see any wireguard peer settings???

mountainadventurer · December 9, 2023, 5:31am

anav, thank you for your reply, I appreciate your patience. To address your points:

(1) I’ll try it but I was worried about getting kicked off and was planning on turning it on once everything was working. How does allowing the bridge to filter vlans enable the dhcp servers, or fix the issue?

(2) It was suggested by the mikrotik confluence wiki to use a separate management bridge for a dedicated management port, I was planning on adding that port to the regular vlan99 once everything was working.

(3) I was just obfuscating my public IP address. There is no issue with internet access and I just did this before pasting it in this forum.

In the process of trying various methods of creating vlans more IP pools accumulated than necessary, I should have cleaned this up more before I posted, apologies. However, If there is no overlap, and they’re not referenced anywhere else, then I don’t know how that would impact vlan functionality.

(4) What specifically is wrong with that though? I want the switch (connected to the trunk port of the router) to receive an IP from the DHCP server serving vlan 99 since I want it to be part of the management vlan. My understanding is that my switch sends untagged management frames to the router, therefore I want the PVID to be 99 to match the management vlan so that a dhcp ip from that subnet can be assigned. I did attempt to incorporate what was mentioned in the first article with what I needed for my network, but apparently I missed something. Please let me know specifically what I didn’t pick up on.

(5) Ok, I’ll try that. If I want to assign an IP from the management subnet (10.10.99.1/24) do I need the management vlan dhcp server, or can I just pick an IP and assign it? For example 10.10.99.15/32, network 10.10.99.0, and then exclude that IP from the dhcp pool?

(6) Again, an artifact from attempting different configurations.

(7, 8, 10) I had wireguard set up previously to allow for connections from outside my LAN. However, I didn’t want them to interfere with the vlan configuration, so I removed them as interfaces and from the bridge, I seem to have forgotten to remove them from the firewall. Did this cause an issue to prevent the vlans from working?

(9) I’m not sure what this means to be honest. Is this an error?

It seems like the best course of action would be to just reset to the default configuration and reimplement vlans from scratch. I’ll try it tomorrow and report back if it ends up working.
Hopefully my responses cleared some things up. Thanks again for your help, I appreciate it.

anav · December 9, 2023, 4:30pm

If afraid of getting kicked by vlan-filtering=yes… you have a valid concern, what I do is take an unused port and stick an IP address on it and do all my initial configuring from there safely.
https://forum.mikrotik.com/viewtopic.php?t=181718

As to the other points…
4. Incorrect, the switch is setup such that the port that connects tot he router is also a trunk port and in this case carries at least vlan99 ( the subnet the switch will get its IP from, which I would set manually and then put that in statically on the router dhcp leases) and any other vlans tagged that the switch is handling.

By stating pVID you are setting up either an access port or hybrid port scenario NOT a trunk port and thus incorrect.

Answered above ( set statically in dhcp leases, put what you want on the switch .15, get the mac address and manually add it to the router, outside the pool is even better )
No but wireguard has nothing to do with vlans directly, and is the proper way of accessing your router remotely for either config purposes, lan access purposes or WAN access puprposes.
No idea why the error is there but it indicates some discrepancy the router doesnt like.

netman · December 10, 2023, 8:06pm

Thanks for your help. I have the vlans working, but now I’m having an issue with winbox access. I made some changes after reapplying the default configuration. As a recap, I have WAN coming in ether1, ether2 functioning as a trunk to the switch, ether3 as a management port, and ether5 as an access port to vlan20. The vlans are: “services”=vlan20, “IOT”=vlan40, “trusted”=vlan50, “guest”=vlan60, and “management”=vlan99. Currently, I can access winbox only from a PC directly connected to ether3. I set the mac-server to allow access from the “Trusted” interface list, however changing it to “LAN” which includes the vlan-bridge has no effect. I also cannot see the mikrotik mac in the winbox “neighbors” tab from ether5, or a device going through a vlan on the switch.

Current config:

# 2023-12-10 14:48:20 by RouterOS 7.12
# software id = J0QT-S5FH
#
# model = RB750Gr3
/interface bridge
add name=vlan-bridge vlan-filtering=yes
/interface ethernet
set [ find default-name=ether3 ] name=ether3-mgmt-port
/interface vlan
add interface=vlan-bridge name=IOT-vlan40 vlan-id=40
add interface=vlan-bridge name=guest-vlan60 vlan-id=60
add interface=vlan-bridge name=management-vlan99 vlan-id=99
add interface=vlan-bridge name=service-vlan20 vlan-id=20
add interface=vlan-bridge name=trusted-vlan50 vlan-id=50
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=Trusted
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=service-dhcp-pool ranges=10.10.20.2-10.10.20.254
add name=IOT-dhcp-pool ranges=10.10.40.2-10.10.40.254
add name=trusted-dhcp-pool ranges=10.10.50.2-10.10.50.254
add name=guest-dhcp-pool ranges=10.10.60.2-10.10.60.254
add name=managment-dhcp-pool ranges=10.10.99.2-10.10.99.254
/ip dhcp-server
add address-pool=service-dhcp-pool interface=service-vlan20 name=service-dhcp
add address-pool=IOT-dhcp-pool interface=IOT-vlan40 name=IOT-dhcp
add address-pool=trusted-dhcp-pool interface=trusted-vlan50 name=trusted-dhcp
add address-pool=guest-dhcp-pool interface=guest-vlan60 name=guest-dhcp
add address-pool=managment-dhcp-pool interface=management-vlan99 name=\
    management-dhcp
/port
set 0 name=serial0
/interface bridge port
add bridge=vlan-bridge comment=defconf interface=ether2 pvid=99
add bridge=vlan-bridge comment=defconf interface=ether5 pvid=20
/ip neighbor discovery-settings
set discover-interface-list=Trusted
/interface bridge vlan
add bridge=vlan-bridge tagged=vlan-bridge,ether2 vlan-ids=20
add bridge=vlan-bridge tagged=vlan-bridge,ether2 vlan-ids=40
add bridge=vlan-bridge tagged=vlan-bridge,ether2 vlan-ids=50
add bridge=vlan-bridge tagged=vlan-bridge,ether2 vlan-ids=60
add bridge=vlan-bridge tagged=vlan-bridge,ether2 vlan-ids=99
/interface list member
add comment=defconf interface=vlan-bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=ether3-mgmt-port list=Trusted
add interface=ether2 list=LAN
add interface=ether5 list=LAN
/ip address
add address=192.168.99.1/24 comment="managment port only" interface=\
    ether3-mgmt-port network=192.168.99.0
add address=10.10.20.1/24 interface=service-vlan20 network=10.10.20.0
add address=10.10.40.1/24 interface=IOT-vlan40 network=10.10.40.0
add address=10.10.50.1/24 interface=trusted-vlan50 network=10.10.50.0
add address=10.10.60.1/24 interface=guest-vlan60 network=10.10.60.0
add address=10.10.99.1/24 interface=management-vlan99 network=10.10.99.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server lease
add address=10.10.99.10 client-id=1:48:22:54:d4:5d:3f mac-address=\
    48:22:54:D4:5D:3F server=management-dhcp
/ip dhcp-server network
add address=10.10.20.0/24 gateway=10.10.20.1
add address=10.10.40.0/24 gateway=10.10.40.1
add address=10.10.50.0/24 gateway=10.10.50.1
add address=10.10.60.0/24 gateway=10.10.60.1
add address=10.10.99.0/24 gateway=10.10.99.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=accept chain=input comment="accept established,related" \
    connection-state=established,related
add action=drop chain=input connection-state=invalid
add action=accept chain=input comment="allow ICMP" in-interface=ether1 \
    protocol=icmp
add action=accept chain=input comment="allow Winbox" in-interface=ether1 log=\
    yes port=8291 protocol=tcp
add action=accept chain=input comment="allow SSH" in-interface=ether1 port=22 \
    protocol=tcp
add action=drop chain=input comment="block everything else" in-interface=\
    ether1
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=\
    out,none out-interface-list=WAN
/ip firewall service-port
set ftp disabled=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
set winbox address=0.0.0.0/0
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/system clock
set time-zone-name=America/New_York
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=Trusted
/tool mac-server mac-winbox
set allowed-interface-list=Trusted
/tool sniffer
set filter-interface=ether5

A few notes: It was advised to remove PVID 99 from the trunk port, ether2. However I wanted to make sure that the switch management traffic that was initially untagged found it’s way to the right subnet. I’ll change it once all configuration is done. However, temporarily changing it back to PVID=1, makes no difference for winbox.

If anyone has any suggestions as to why I cannot access winbox from any vlan currently I would appreciate it.

As a side note, all of my devices on different vlans can currently communicate. I didn’t think this was allowed by default, so if there is any insight there that would be appreciated as well.

anav · December 11, 2023, 3:21am

(1) It makes zero sense to send a hybrid port to a managed switch. Get off the drugs!
All vlans should be tagged to the managed switch on the trunk port.

/interface bridge port
add bridge=vlan-bridge comment=defconf interface=ether2 ingress-filtering=yes frame-types=admit-only-vlan-tagged
add bridge=vlan-bridge comment=defconf interface=ether5 pvid=20 ingress-filtering=yes frame-types=admit-priority-and-untagged
/ip neighbor discovery-settings
set discover-interface-list=Trusted
/interface bridge vlan
add bridge=vlan-bridge tagged=vlan-bridge,ether2 vlan-ids=40,50,60,99 { you only need one line for this }
add bridge=vlan-bridge tagged=vlan-bridge,ether2 untagged=ether5 vlan-ids=2

(2) Your Interface list members is wrong and needs adjustment to the following:
/interface list member
add comment=defconf interface=ether1 list=WAN
add interface=service-vlan20 list=LAN
add interface=IOT-vlan40 list=LAN
add interface=trusted-vlan50 list=LAN
add interface=guest-vlan60 list=LAN
add interface=management-vlan99 list=LAN
add interface=management-vlan99 list=Trusted
add interface=trusted-vlan50 list=Trusted
add interface=ether3-mgmt-port list=Trusted

(3) Get rid of this static DNS setting…
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan

(4) Modify input chain rule for better security.
REPLACE FOLLOWING:
add action=drop chain=input comment=“defconf: drop all not coming from LAN”
in-interface-list=!LAN

With:
add action=accept chain=input src-address-list=Authorized comment=“Config Access”
add action=accept chain=input comment=“Allow LAN DNS queries-UDP”
dst-port=53 in-interface-list=LAN protocol=udp
add action=accept chain=input comment=“Allow LAN DNS queries - TCP”
dst-port=53 in-interface-list=LAN protocol=tcp
add action=drop chain=input comment=“drop all else” { add only after admin allow rule and firewall address list are in place }

The firewall address list is comprised of static DHCP leases and by devices the admin uses…
/ip firewall address-list
add address=10.10.50.X list=Authorized comment=“local admin desktop”
add address=10.10.50.Y list=Authorized comment=“local admin laptop”
add address=10.10.50.Z list=Authorized comment=“local admin ipad/smartphone”
add address=10.10.99.X list=Authorized comment=“admin when on mgmt network”
add address=192.168.99.0/24 list=Authorized comment="admin connecting from ether3

THe users on the network ONLY need access to DNS services…

(5) You have duplicate input chain rules ALL THAT NEED TO BE DELETED>
Look after this rule in the forward chain and you will spot them.
add action=drop chain=forward comment=
“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN
—>
add action=accept chain=input comment=“accept established,related”
connection-state=established,related
add action=drop chain=input connection-state=invalid
add action=accept chain=input comment=“allow ICMP” in-interface=ether1
protocol=icmp
add action=accept chain=input comment=“allow Winbox” in-interface=ether1 log=
yes port=8291 protocol=tcp
add action=accept chain=input comment=“allow SSH” in-interface=ether1 port=22
protocol=tcp
add action=drop chain=input comment=“block everything else” in-interface=
ether1

(6) Speaking about the last rule in the forward chain, we are going to modify it for clarity and better security so dump it and replace with the following.
add action=accept chain=forward comment=“allow internet traffic” in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment=“port forwarding” connection-nat-state=dstnat disabled=yes {enable if required}
add action=drop chain=forward comment="drop all else"

(7) Dont see the purpose of this entry? If there are no values entered in for winbox, that means there are NO restrictions, and all possible IP addresses have access at least to the extent that this part of overall security allows all users. Thus no entry and 0.0.0.0/0 amount to the same thing.
set winbox address=0.0.0.0/0

Much better to actually include subnets where the admin will be located to access the Router for config purposes.
Aka Management SUBNET, TRUSTED SUBNET and ether3 subnet.
set winbox address=10.10.50.0/24,10.10.99.0/24,192.168.99.0/24

(8) If not using IPV6 ensure you disable it and replace all the ipv6 firewal rules with
add chain=input action=drop
add chain=forward action=drop

(9) At the bottom of the config, mac-server is not a secure method of access and thus only mac-server mac-winbox should have Trusted entry
fixed…
/tool mac-server
set allowed-interface-list=NONE
/tool mac-server mac-winbox
set allowed-interface-list=Trusted

netman · December 11, 2023, 5:15am

First, thank you so much for taking the time to help an internet stranger with their issues, it means a lot to me! I think that solved the issue of being able to log in to winbox, as I’m now able to log in from my laptop on 10.10.50.4 from a wireless access point, through a switch, into ether2 of the router, so great!

Thanks for taking a look at those firewall rules as well. I tried my best to implement them, however I’m still slightly confused and want to ensure that I did not misconfigure them (I want to avoid my router being publicly accessible lol).

Current config:

# 2023-12-10 23:56:12 by RouterOS 7.12
# software id = J0QT-S5FH
#
# model = RB750Gr3

/interface bridge
add name=vlan-bridge vlan-filtering=yes
/interface ethernet
set [ find default-name=ether3 ] name=ether3-mgmt-port
/interface vlan
add interface=vlan-bridge name=IOT-vlan40 vlan-id=40
add interface=vlan-bridge name=guest-vlan60 vlan-id=60
add interface=vlan-bridge name=management-vlan99 vlan-id=99
add interface=vlan-bridge name=service-vlan20 vlan-id=20
add interface=vlan-bridge name=trusted-vlan50 vlan-id=50
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=Trusted
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=service-dhcp-pool ranges=10.10.20.2-10.10.20.254
add name=IOT-dhcp-pool ranges=10.10.40.2-10.10.40.254
add name=trusted-dhcp-pool ranges=10.10.50.2-10.10.50.254
add name=guest-dhcp-pool ranges=10.10.60.2-10.10.60.254
add name=managment-dhcp-pool ranges=10.10.99.2-10.10.99.254
add name=dhcp_pool6 ranges=172.16.99.2-172.16.99.254
/ip dhcp-server
add address-pool=service-dhcp-pool interface=service-vlan20 name=service-dhcp
add address-pool=IOT-dhcp-pool interface=IOT-vlan40 name=IOT-dhcp
add address-pool=trusted-dhcp-pool interface=trusted-vlan50 name=trusted-dhcp
add address-pool=guest-dhcp-pool interface=guest-vlan60 name=guest-dhcp
add address-pool=managment-dhcp-pool interface=management-vlan99 name=\
    management-dhcp
/port
set 0 name=serial0
/interface bridge port
add bridge=vlan-bridge comment=defconf frame-types=admit-only-vlan-tagged \
    interface=ether2
add bridge=vlan-bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether5 pvid=20
/ip neighbor discovery-settings
set discover-interface-list=all
/interface bridge vlan
add bridge=vlan-bridge tagged=vlan-bridge,ether2 untagged=ether5 vlan-ids=20
add bridge=vlan-bridge tagged=vlan-bridge,ether2 vlan-ids=40
add bridge=vlan-bridge tagged=vlan-bridge,ether2 vlan-ids=50
add bridge=vlan-bridge tagged=vlan-bridge,ether2 vlan-ids=60
add bridge=vlan-bridge tagged=vlan-bridge,ether2 vlan-ids=99
/interface list member
add comment=" " interface=ether1 list=WAN
add comment=" " interface=ether3-mgmt-port list=Trusted
add interface=service-vlan20 list=LAN
add interface=IOT-vlan40 list=LAN
add interface=trusted-vlan50 list=LAN
add interface=guest-vlan60 list=LAN
add interface=management-vlan99 list=LAN
add interface=management-vlan99 list=Trusted
add interface=trusted-vlan50 list=Trusted
/ip address
add address=192.168.99.1/24 comment="managment port only" interface=\
    ether3-mgmt-port network=192.168.99.0
add address=10.10.20.1/24 interface=service-vlan20 network=10.10.20.0
add address=10.10.40.1/24 interface=IOT-vlan40 network=10.10.40.0
add address=10.10.50.1/24 interface=trusted-vlan50 network=10.10.50.0
add address=10.10.60.1/24 interface=guest-vlan60 network=10.10.60.0
add address=10.10.99.1/24 interface=management-vlan99 network=10.10.99.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server lease
add address=10.10.99.10 client-id=1:48:22:54:d4:5d:3f mac-address=\
    48:22:54:D4:5D:3F server=management-dhcp
/ip dhcp-server network
add address=10.10.20.0/24 gateway=10.10.20.1
add address=10.10.40.0/24 gateway=10.10.40.1
add address=10.10.50.0/24 gateway=10.10.50.1
add address=10.10.60.0/24 gateway=10.10.60.1
add address=10.10.99.0/24 gateway=10.10.99.1
add address=172.16.99.0/24 gateway=172.16.99.1
/ip dns
set allow-remote-requests=yes
/ip firewall address-list
add address=10.10.50.0/24 comment="\"local trusted devices\"" list=Authorized
add address=10.10.99.0/24 comment="\"management addresses\"" list=Authorized
add address=192.168.99.0/24 comment="\"admin user on ether3\"" list=Authorized
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="\"config access\"" src-address-list=\
    Authorized
add action=accept chain=input comment="\"Allow LAN DNS queries-UDP\"" dst-port=\
    53 in-interface-list=LAN protocol=udp
add action=accept chain=input comment="\"Allow LAN DNS queries - TCP\"" \
    dst-port=53 in-interface-list=LAN protocol=tcp
add action=drop chain=input comment="\"drop all else\""
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" \
    connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=accept chain=forward comment="\"allow internet traffic\"" \
    in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="\"port forwarding\"" \
    connection-nat-state=!dstnat
add action=drop chain=forward comment="\"drop all else\""
add action=accept chain=input comment="accept established,related" \
    connection-state=established,related disabled=yes
add action=drop chain=input connection-state=invalid disabled=yes
add action=accept chain=input comment="allow ICMP" disabled=yes in-interface=\
    ether1 protocol=icmp
add action=accept chain=input comment="allow Winbox" disabled=yes in-interface=\
    ether1 log=yes port=8291 protocol=tcp
add action=accept chain=input comment="allow SSH" disabled=yes in-interface=\
    ether1 port=22 protocol=tcp
add action=drop chain=input comment="block everything else" disabled=yes \
    in-interface=ether1
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=\
    out,none out-interface-list=WAN
/ip firewall service-port
set ftp disabled=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
set winbox address=10.10.50.0/24,10.10.99.0/24,192.168.99.0/24
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=drop chain=input
add action=drop chain=forward
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" \
    src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" \
    dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/system clock
set time-zone-name=America/New_York
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=Trusted
/tool sniffer
set filter-interface=ether5

And for clarity an image of the ipv4 firewall:
Screenshot 2023-12-11 000618.png
Screenshot 2023-12-11 001412.png
I left some things in place like the “drop all not coming from LAN” because I wanted to make sure that the other rules were in place correctly, especially since this rule is catching packets.

Please let me know if everything in the firewall or config is in place correctly.

Additionally, I noticed that I can still ping across vlans. For example, from my laptop (10.10.50.4) to my cell phone (10.10.60.2). My understanding was the vlans had to explicitly be allowed to communicate with firewall rules, and that by default they wouldn’t be able to communicate. Is this because they’re all on the same bridge and normal behavior? If so I assume I can just create firewall rules to prevent, for example, the IOT vlan being able to communicate with the management vlan.

Thanks again for all your help, it’s greatly appreciated!

anav · December 11, 2023, 1:16pm

(1) This rule is no longer required in the input chain…
add action=drop chain=input comment=“defconf: drop all not coming from LAN”
in-interface-list=!LAN

(2) You made the same error in the forward chain, you DIDNT get rid of the old rule that we replaced. Get rid of it!!
add action=drop chain=forward comment=“defconf: drop all from WAN not DSTNATed”
connection-nat-state=!dstnat connection-state=new in-interface-list=WAN

(3) Why do you have all the old rules at the bottom still on your CONFIG… get rid of them…

add action=accept chain=input comment=“accept established,related”
connection-state=established,related disabled=yes
add action=drop chain=input connection-state=invalid disabled=yes
add action=accept chain=input comment=“allow ICMP” disabled=yes in-interface=
ether1 protocol=icmp
add action=accept chain=input comment=“allow Winbox” disabled=yes in-interface=
ether1 log=yes port=8291 protocol=tcp
add action=accept chain=input comment=“allow SSH” disabled=yes in-interface=
ether1 port=22 protocol=tcp
add action=drop chain=input comment=“block everything else” disabled=yes
in-interface=ether1

Should work fine now.
For the admin firewall address list, if you are the only user on the subnets fine to leave it, but if they are shared, then best to detail only your devices.