Does my config meet my ISP requirements

Krakadoom · February 5, 2026, 5:51am

2026-02-04T11:00:00Z

I have change ISP while moving to a new house

This is the requirement from my ISP for fibre connection. Fairly standard for Fibre in NZ

Looking for confirmation or advice. Its been 5 years since I last worked with RouterOS so I’m not confident in my abilities.

This is my current config which I think has covered the requirements although I haven’t added the DNS addresses yet.

2026-02-05 12:19:00 by RouterOS 7.15.2

software id = ZPSL-N8FI

model = C52iG-5HaxD2HaxD

serial number = mod removed

/interface bridge
add name=bridge1 vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name="ether1 - WAN"
set [ find default-name=ether2 ] name="ether2 - LAN"
/interface wifi
set [ find default-name=wifi1 ] configuration.country="New Zealand" .mode=ap
.ssid=LivingtheDream disabled=no
set [ find default-name=wifi2 ] configuration.country="New Zealand" .mode=ap
.ssid=LivingtheDream disabled=no
/interface list
add name=WAN
add name=LAN
/ip pool
add name=dhcp ranges=192.168.1.0/24
/interface bridge port
add bridge=bridge1 interface="ether1 - WAN"
add bridge=bridge1 interface=all
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge1 tagged="ether1 - WAN" vlan-ids=10
/interface list member
add interface="ether1 - WAN" list=WAN
add interface="ether2 - LAN" list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=wifi1 list=LAN
add interface=wifi2 list=LAN
/ip address
add address=192.168.1.254/24 interface="ether2 - LAN" network=192.168.1.0
/ip dhcp-client
add comment=WAN interface=bridge1
/ip dhcp-server
add address-pool=dhcp comment="LAN Server" interface=bridge1 name=dhcp1
server-address=192.168.1.254
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=192.168.1.254 gateway=192.168.1.254
netmask=24
/ip firewall filter
add action=accept chain=input protocol=icmp
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=drop chain=input in-interface-list=!LAN
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
/ipv6 dhcp-client
add interface="ether1 - WAN" request=address
/system clock manual
set dst-delta=+13:00 dst-end="2026-04-05 02:00:00" dst-start=
"2025-09-28 02:00:00" time-zone=+12:00
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

BartoszP · February 5, 2026, 7:11am

You have to

do not put all interfaces to bridge1, just the ones that are really your LAN side eth2-eth5+wifi
add VLAN10 tagged with pvid=10 sub interface to eth1
remove eth1 from WAN group
add VLAN10 do WAN group

anav · February 5, 2026, 1:15pm

/interface bridge
add name=bridge1 vlan-filtering=no
/interface ethernet
set [ find default-name=ether1 ] name="ether1 - WAN"
set [ find default-name=ether2 ] name="ether2 - LAN"
/interface vlan
add interface=”ether1 - WAN” name=vlanISP vlan-id=10
/interface wifi
set [ find default-name=wifi1 ] configuration.country="New Zealand" .mode=ap
.ssid=LivingtheDream disabled=no
set [ find default-name=wifi2 ] configuration.country="New Zealand" .mode=ap
.ssid=LivingtheDream disabled=no
/interface list
add name=WAN
add name=LAN
/ip pool
add name=dhcp ranges=192.168.1.0/24
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge-bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=wifi1
add bridge=bridge1 interface=wifi2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add interface="ether1 - WAN" list=WAN
add interface=bridge1 list=LAN
/ip address
add address=192.168.1.254/24 interface=bridge1 network=192.168.1.0
/ip dhcp-client
add comment=WAN interface=vlanISP
/ip dhcp-server
add address-pool=dhcp comment="LAN Server" interface=bridge1 name=dhcp1
server-address=192.168.1.254
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=192.168.1.254 gateway=192.168.1.254
/ip firewall filter
{ default rules to keep }
add action=accept chain=input connection-state=established,related,untracked
add action=drop chain=input connection-state=invalid
add action=accept chain=input protocol=icmp
add action=accept chain=input dst-address=127.0.0.1
{ admin rules }
add action=accept chain=input in-interface-list=LAN
add action=drop chain=input comment=”drop all else”
+++++++++++++++++++++
{ default rules to keep }
add action=fasttrack-connection chain=forward connection-state=established,related
add action=accept chain=forward connection-state=established,related,untracked
add action=drop chain=forward connection-state=invalid
{ admin rules }
add action=accept chain=forward comment=”internet traffic” in-interface-list=LAN \
out-interface-list=WAN
add action=drop chain=forward comment=”drop all else”
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
/system clock manual
set dst-delta=+13:00 dst-end="2026-04-05 02:00:00" dst-start=
"2025-09-28 02:00:00" time-zone=+12:00
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=LAN

rextended · February 5, 2026, 1:41pm

Is better to reset all to defaults, is a mess....

do not use quickset
do not use quickset
Upgrade software to at least to 7.16.2... 7.15 has some... security problems... (do not forget wifi-qcom-7.16.2 package)
Upgrade firmware
Reset to defaults
Add VLAN10 on ether1 (do not touch "bridge" section, add VLAN on"interfaces" section)
add VLAN10 to interface group WAN
Add dhcp client to vlan10
Done. do not do anythong more and test if internet is working.

If you want use 192.168.1.0/24 instead of default 192.168.88.0/24 and set WiFi do it separately, first check if all is working, and do not touch firewall.

anav · February 5, 2026, 2:01pm

That is one possibility.
Where I fully agree is to upgrade to the latest long term software version 7.20.8

Krakadoom · February 10, 2026, 9:04am

Thanks you all for your help.

I haven’t been able to test until the coming weekend. I will come back with results.

qatar2022 · February 10, 2026, 10:05am

if you are using SFP gpon you have to create bridge VoIP with vlan