Dual WAN with Vlan

Hello to all.
i’m trying to add second wan to my Mikrotik 2011UiAS-2HnD but i have some problems
my configuration is…

# may/24/2019 12:56:48 by RouterOS 6.43.2
# software id = U1J9-FEP9
#
# model = 2011UiAS-2HnD
# serial number = xxxxxxxxxxxx
/interface l2tp-server
add name=l2tp-in1 user=vpn
add name=l2tp-in2 user=vpn2
/interface bridge
add fast-forward=no name=bridge6-9
add fast-forward=no name=bridge_Vlan3_Guests
add admin-mac=xx:xx:xx:xx:xx:xx auto-mac=no fast-forward=no name=bridge_Vlan4_HR
add fast-forward=no name=bridge_vlan2_Service
/interface ethernet
set [ find default-name=ether1 ] name=WAN1 speed=100Mbps
set [ find default-name=ether2 ] name=WAN2 speed=100Mbps
set [ find default-name=ether3 ] speed=100Mbps
set [ find default-name=ether4 ] speed=100Mbps
set [ find default-name=ether5 ] speed=100Mbps
set [ find default-name=ether6 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether7 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether8 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether9 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether10 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
/interface vlan
add interface=ether5 name=vlan2_Service vlan-id=2
add interface=ether5 name=vlan3_Guests vlan-id=3
add interface=ether5 name=vlan4_HR vlan-id=4
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk,wpa-eap,wpa2-eap eap-methods="" supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=profile_HR supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk eap-methods="" management-protection=allowed mode=dynamic-keys name=profile_Service supplicant-identity=""
add authentication-types=wpa-psk,wpa2-psk eap-methods="" management-protection=allowed name=profile_HotSpot supplicant-identity=""
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce country=greece disabled=no distance=indoors frequency=auto mode=ap-bridge name=wlan_HR \
    security-profile=profile_HR ssid=Computer-Point wireless-protocol=802.11
add disabled=no keepalive-frames=disabled mac-address=xx:xx:xx:xx:xx:xx master-interface=wlan_HR multicast-buffering=disabled name=wlan_HotSpot security-profile=\
    profile_HotSpot ssid=Free_WiFi_Computer_Point wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
add disabled=no keepalive-frames=disabled mac-address=xx:xx:xx:xx:xx:xx master-interface=wlan_HR multicast-buffering=disabled name=wlan_Service security-profile=\
    profile_Service ssid=Computer_Point_Service wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
/ip hotspot profile
add dns-name=hs-login.com hotspot-address=10.0.30.1 login-by=http-chap,http-pap name=hsprof1
/ip hotspot user profile
add name=social on-login="{:local date [/system clock get date ];:local time [/system clock get time ];:local uptime (1d);:local macaddressnya \$\"mac-address\";:local ipa\
    ddressnya \$\"address\";[/ip hotspot user set mac-address=\$\"macaddressnya\" comment=\"social_login\" [find where name=\$user]];[/system scheduler add disabled=no int\
    erval=\$uptime name=\$user on-event= \"[/ip hotspot active remove [find where user=\\\"\$user\\\"]];[/ip hotspot user remove [find where name=\\\"\$user\\\"]];[/ip hot\
    spot cookie remove [find user=\\\"\$user\\\"]];[/sys sch re [find where name=\\\"\$user\\\"]]\" start-date=\$date start-time=\$time];}}" rate-limit=256k/2048k
/ip pool
add name=vpn ranges=192.168.89.2-192.168.89.255
add name=pool_vlan2_Server ranges=10.0.20.2-10.0.20.254
add name=pool_vlan3_guests ranges=10.0.30.2-10.0.30.254
add name=pool_6-9 ranges=192.168.88.2-192.168.88.20
add name=pool_vlan4_HR ranges=10.0.10.150-10.0.10.190
/ip dhcp-server
add address-pool=pool_6-9 disabled=no interface=bridge6-9 name=server6-9
add address-pool=pool_vlan2_Server disabled=no interface=bridge_vlan2_Service name=server_vlan2_Service
add address-pool=pool_vlan3_guests disabled=no interface=bridge_Vlan3_Guests name=server_vlan3_Guests
add address-pool=pool_vlan4_HR disabled=no interface=bridge_Vlan4_HR name=server_vlan4_HR
/ip hotspot
add address-pool=pool_vlan3_guests addresses-per-mac=1 disabled=no interface=bridge_Vlan3_Guests name=hotspot1 profile=hsprof1
/ppp profile
set *0 bridge=bridge_Vlan4_HR
add bridge=bridge_Vlan4_HR local-address=10.0.10.1 name=server remote-address=vpn
set *FFFFFFFE bridge=bridge_Vlan4_HR local-address=10.0.10.1 remote-address=pool_vlan4_HR
/interface bridge port
add bridge=bridge6-9 interface=ether6
add bridge=bridge6-9 interface=ether7
add bridge=bridge6-9 interface=ether8
add bridge=bridge6-9 interface=ether9
add bridge=bridge_Vlan3_Guests interface=ether3
add bridge=bridge_Vlan4_HR interface=ether4
add bridge=bridge_vlan2_Service interface=vlan2_Service
add bridge=bridge_Vlan3_Guests interface=vlan3_Guests
add bridge=bridge_Vlan4_HR interface=vlan4_HR
add bridge=bridge_Vlan4_HR interface=wlan_HR
add bridge=bridge_Vlan3_Guests interface=wlan_HotSpot
add bridge=bridge_vlan2_Service interface=wlan_Service
add bridge=bridge_vlan2_Service disabled=yes interface=WAN2
/interface bridge settings
set use-ip-firewall=yes
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface l2tp-server server
set enabled=yes use-ipsec=yes
/interface list member
add interface=bridge_Vlan4_HR list=LAN
add comment=defconf interface=WAN1 list=WAN
add interface=bridge6-9 list=LAN
add interface=bridge_Vlan3_Guests list=LAN
add interface=bridge_vlan2_Service list=LAN
add interface=l2tp-in1 list=LAN
add interface=l2tp-in2 list=LAN
add interface=WAN2 list=WAN
/interface pptp-server server
set enabled=yes
/interface sstp-server server
set default-profile=default-encryption enabled=yes
/interface wireless access-list
add vlan-mode=no-tag
/ip address
add address=10.0.10.1/24 comment=defconf interface=vlan4_HR network=10.0.10.0
add address=10.0.20.1/24 interface=vlan2_Service network=10.0.20.0
add address=10.0.30.1/24 interface=vlan3_Guests network=10.0.30.0
add address=192.168.88.1/24 interface=ether6 network=192.168.88.0
add address=192.168.1.250/24 interface=WAN1 network=192.168.1.0
add address=10.1.10.90/24 interface=WAN2 network=10.1.10.0
/ip cloud
set update-time=no
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid interface=WAN1
/ip dhcp-server network
add address=10.0.10.0/24 comment=defconf gateway=10.0.10.1 netmask=24
add address=10.0.20.0/24 comment=defconf gateway=10.0.20.1 netmask=24
add address=10.0.30.0/24 comment=defconf gateway=10.0.30.1 netmask=24
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip dns static
add address=10.0.10.1 name=router.lan
add address=192.168.2.25 disabled=yes name=clients1.google.com
add address=192.168.2.25 disabled=yes name=clients3.google.com
add address=192.168.2.25 disabled=yes name=connectivitycheck.android.com
add address=192.168.2.25 disabled=yes name=connectivitycheck.gstatic.com
/ip firewall address-list
add address=10.0.30.2-10.0.30.254 list=guestss
/ip firewall filter
add action=accept chain=input comment=api dst-port=3306 protocol=udp
add action=accept chain=input comment=api dst-port=3306 protocol=tcp
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" disabled=yes
add action=return chain=hs-unauth disabled=yes dst-address=xxx.xxx.xxx.xxx in-interface=bridge_Vlan3_Guests
add action=return chain=hs-unauth-to disabled=yes out-interface=bridge_Vlan3_Guests src-address=xxx.xxx.xxx.xxx
add action=accept chain=forward disabled=yes dst-port=80 in-interface=WAN1 protocol=tcp
add action=drop chain=input comment="Drop new connections from blacklisted IP's to this router" connection-state=new in-interface=WAN1 src-address-list=blacklist
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=forward comment="allow ISP Modem to HR(vlan4)" dst-address=192.168.1.1 src-address=10.0.10.0/24
add action=accept chain=forward comment="allow CPSRV to Service(vlan2)" dst-address=10.0.10.2 src-address=10.0.20.0/24
add action=drop chain=forward comment="Drop From Service(vlan2) To HR(vlan4)" dst-address=10.0.10.0/24 src-address=10.0.20.0/24
add action=drop chain=forward comment="Drop From Guests(vlan3) To HR(vlan4)" dst-address=10.0.10.0/24 src-address=10.0.30.0/24
add action=drop chain=forward comment="Drop From Service(vlan2) To Guests(vlan3)" dst-address=10.0.30.0/24 src-address=10.0.20.0/24
add action=drop chain=forward comment="Drop From Guests(vlan3) To Service(vlan2)" dst-address=10.0.20.0/24 src-address=10.0.30.0/24
add action=drop chain=forward comment="Isolate Vlan3 IPs" in-interface=bridge_Vlan3_Guests out-interface=bridge_Vlan3_Guests
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=drop chain=input comment="Block 389 for DNS fix" dst-port=389 in-interface=WAN1 protocol=udp
add action=drop chain=input comment="Block 389 for DNS fix" dst-port=389 in-interface=WAN1 protocol=tcp
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related disabled=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" disabled=yes
add action=return chain=hs-unauth disabled=yes dst-address=xxx.xxx.xxx.xxx in-interface=bridge_Vlan3_Guests
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=10.0.10.0/24
*****************some port forward rules************************************
add action=masquerade chain=srcnat comment="masquerade hotspot network" src-address=10.0.30.0/24
/ip hotspot user
add name=admin
/ip hotspot walled-garden
add comment="place hotspot rules here" disabled=yes
add disabled=yes dst-host=*facebook*
add disabled=yes dst-host=*akamaihd*
add disabled=yes dst-host=*fbcdn*
add disabled=yes dst-host=*instagram*
add disabled=yes dst-host=*google*
add disabled=yes dst-host=*googleapis*
add disabled=yes dst-host=*gstatic*
add disabled=yes dst-host=*googleusercontent*
add disabled=yes dst-host=*twitter*
add disabled=yes dst-host=*twimg*
add dst-host=*ipologistakias.gr*
add dst-host=*.socifi.com
add dst-host=*.facebook.com
add dst-host=*.akamaihd.net
add dst-host=*.akamai.net
add dst-host=*.edgecastcdn.net
add dst-host=*.edgekey.net
add dst-host=*.akamaiedge.net
add dst-host=*.twitter.com
add dst-host=twitter.com
add dst-host=*.twimg.com
add dst-host=*.fastly.net
add dst-host=*.licdn.net
add dst-host=*.cloudfront.net
add dst-host=facebook.com
add dst-host=*.fbcdn.net
add dst-host=*.instagram.com
add dst-host=instagram.com
add dst-host=*.cdninstagram.com
add dst-host=*.linkedin.com
add dst-host=linkedin.com
add dst-host=*.licdn.com
add dst-host=*.googleapis.com
add dst-host=*.googleusercontent.com
add dst-host=*.gstatic.com
add dst-host=*.accounts.youtube.com
add dst-host=*.apis.google.com
add dst-host=*.accounts.google.com
add dst-host=*.l.google.com
add dst-host=accounts.google.com
add dst-host=accounts.google.gr
/ip hotspot walled-garden ip
add action=accept disabled=no dst-address=xxx.xxx.xxx.xxx !dst-address-list !dst-port !protocol server=hotspot1 !src-address !src-address-list
add action=accept disabled=no dst-address=8.8.8.8 !dst-address-list !dst-port !protocol server=hotspot1 !src-address !src-address-list
/ip ipsec peer
add exchange-mode=main-l2tp generate-policy=port-strict passive=yes
/ip route
add distance=1 gateway=192.168.1.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=10.0.10.0/24
set ssh disabled=yes
set www-ssl address=10.0.10.0/24
set api address=0.0.0.0/0 port=3306
set winbox address=10.0.10.0/24
set api-ssl disabled=yes
/lcd
set backlight-timeout=never default-screen=stats
/lcd interface pages
set 0 interfaces=wlan_HR
/ppp secret
add name=vpn
add name=vpn2
add name=ppp1ovpn profile=server
/snmp
set enabled=yes
/system clock
set time-zone-name=Europe/Athens
/system identity
set name=ComPoint
/system logging
add disabled=yes topics=l2tp
add topics=e-mail
/system ntp client
set enabled=yes server-dns-names=0.pool.ntp.org,1.pool.ntp.org,2.pool.ntp.org,3.pool.ntp.org
/system routerboard settings
set silent-boot=no
*************some scripts*********************
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

i have try some things from varius forums but with no luck
i dont want load balancing or fail over

what i need to do is
vlan4_HR have internet through WAN1
vlan3_Guests and vlan2_Service have internet through WAN2
thats all

Any help or suggestions would be appreciate.
thank you.

All what you need is the following:

• /ip route add routing-mark=via-WAN2 gateway=10.1.10.x (set x as appropriate to make 10.1.10.x represent the IP of WAN2’s gateway) - this adds a default route into a routing table named via-WAN2
• /ip route rule
  add action=lookup table=main dst-address=10.0.0.0/8
  add action=lookup table=main dst-address=192.168.0.0/16
  add action=lookup-only-in-table table=via-WAN2 src-address=10.0.20.0/24
  add action=lookup-only-in-table table=via-WAN2 src-address=10.0.30.0/24
  Here, the first two rules shadow the last two ones for packets towards private IPs; the second two rules make packets from the subnets bound to vlan2_Service and vlan3_Guests to use exclusively their dedicated routing table, and do so even if WAN2 is down (so no failover to WAN1 will happen).

Thank you very much it WORKS!!!

From the magic book of Sindy Spells!
Sindy floats, then he must be a witch.
Burn the witch!!

When I am awake I will have to revisit this thread to unpretzel my brain to figure it out.
Perhaps I am never destined to see the Matrix.
Sob does the same magic for ip route rules… (its a damn coven)

Didn’t you figure out routing rules already? We were over this more than once.

Look at it, it’s self explanatory, it almost translates itself to plain English:

• if destination is 10.0.0.0/8, look it up in main table
• if destination is 192.168.0.0/16, look it up in main table
• if source is 10.0.20.0/24, look up destination only in via-WAN2 table
• if source is 10.0.30.0/24, look up destination only in via-WAN2 table

Plus the order matters and the first match wins, so if a packet matches both the first rule and the third rule (its destination fits into 10.0.0.0/8 and its source fits into 10.0.20.0/24), it is handled according to the first rule and it is never even seen by the third one.

If a packet matches none of the rules, its routing-mark (which is another name for the routing table) is not changed.

Each packet has to be routed, so routing rules must be always evaluated. That’s why routing rules don’t collide with fasttracking. Firewall rules allow to match many more fields than just src-address and dst-address (and support ranges and inversions also on src-address and dst-address), which makes them more powerful but also more CPU-hungry, plus using them to assign the routing-mark intrinsically interferes with fasttracking which is, let’s face it, a way to bypass most of the the firewall processing.

Hello again!!
i have problem accessing the vpn
i think that this happen right after the changes.
have any clue whats wrong?

In general as soon as you start playing with policy routing, you can easily break incoming connections to WAN (such as VPN or remote management connections to the router), but your case seemed safe in this regard as you only wanted to use WAN2 for particular LAN subnets.

I can see nothing in your configuration which would explain why my rules should break VPN access to anything except the two subnets you wanted to use WAN2. So use the force export again, Luke, say which of your 3 permitted VPNs (L2TP/IPsec, PPTP, SSTP) you actually use, and say what exactly doesn’t work - log in of the VPN client, access to anything on the LANs, or access to some subnets.

Now i see that i can connect to vpn from my mobile phone but not from my computer. maybe its something with windows 10 update to 1903 version.
i will check it again soon and i will reply. Thank you very much.

Hello again…
it was microsoft problem for vpn…
I can not use button above the wifi list to connect. I have to go from settings-vpn and connect from there. I dont know why this happen. I think its microsoft bug.
Anyway. I have some other issues like that i can not connect to winbox from vpn but i can ping mikrotik ip and i can not access from wan2 network mikrotik and network.
Can i explain my network and give you my config so you can take a look?

Sure. Network topologies are best explained by drawings. A photo of a handmade one is enough.

ok i will find some time tomorow to make the topology and export the configuration.
thank you very very much.

Hello again.
i finally manage to get some time to do the topology.
so here it is.



The First Mikrotik configuration:

# jun/09/2019 11:29:18 by RouterOS 6.43.2
# software id = U1J9-FEP9
#
# model = 2011UiAS-2HnD
# serial number = xxxxxxxxxxxxxxxx
/interface l2tp-server
add name=l2tp-in1 user=vpn
add name=l2tp-in2 user=vpn2
/interface bridge
add fast-forward=no name=bridge6-9
add fast-forward=no name=bridge_Vlan3_Guests
add admin-mac=XX:XX:XX:XX:XX:66 auto-mac=no fast-forward=no name=\
    bridge_Vlan4_HR
add fast-forward=no name=bridge_vlan2_Service
/interface ethernet
set [ find default-name=ether1 ] name=WAN1 speed=100Mbps
set [ find default-name=ether2 ] name=WAN2 speed=100Mbps
set [ find default-name=ether3 ] speed=100Mbps
set [ find default-name=ether4 ] speed=100Mbps
set [ find default-name=ether5 ] speed=100Mbps
set [ find default-name=ether6 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether7 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether8 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether9 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether10 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
/interface vlan
add interface=ether5 name=vlan2_Service vlan-id=2
add interface=ether5 name=vlan3_Guests vlan-id=3
add interface=ether5 name=vlan4_HR vlan-id=4
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=\
    wpa-psk,wpa2-psk,wpa-eap,wpa2-eap eap-methods="" supplicant-identity=\
    MikroTik
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=\
    profile_HR supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk eap-methods="" \
    management-protection=allowed mode=dynamic-keys name=profile_Service \
    supplicant-identity=""
add authentication-types=wpa-psk,wpa2-psk eap-methods="" \
    management-protection=allowed name=profile_HotSpot supplicant-identity=""
add authentication-types=wpa-psk,wpa2-psk eap-methods="" \
    management-protection=allowed mode=dynamic-keys name=profile_pinakida \
    supplicant-identity=""
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce \
    country=greece disabled=no distance=indoors frequency=2437 mode=ap-bridge \
    name=wlan_HR security-profile=profile_HR ssid=Computer-Point \
    wireless-protocol=802.11
add disabled=no keepalive-frames=disabled mac-address=BA:69:F4:24:06:70 \
    master-interface=wlan_HR multicast-buffering=disabled name=wlan_HotSpot \
    security-profile=profile_HotSpot ssid=Free_WiFi_Computer_Point \
    wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
add disabled=no keepalive-frames=disabled mac-address=BA:69:F4:24:06:6F \
    master-interface=wlan_HR multicast-buffering=disabled name=wlan_Service \
    security-profile=profile_Service ssid=Computer_Point_Service \
    wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
/ip hotspot profile
add dns-name=hs-login.com hotspot-address=10.0.30.1 login-by=\
    http-chap,http-pap name=hsprof1
/ip hotspot user profile
add name=social on-login="{:local date [/system clock get date ];:local time [\
    /system clock get time ];:local uptime (1d);:local macaddressnya \$\"mac-a\
    ddress\";:local ipaddressnya \$\"address\";[/ip hotspot user set mac-addre\
    ss=\$\"macaddressnya\" comment=\"social_login\" [find where name=\$user]];\
    [/system scheduler add disabled=no interval=\$uptime name=\$user on-event=\
    \_\"[/ip hotspot active remove [find where user=\\\"\$user\\\"]];[/ip hots\
    pot user remove [find where name=\\\"\$user\\\"]];[/ip hotspot cookie remo\
    ve [find user=\\\"\$user\\\"]];[/sys sch re [find where name=\\\"\$user\\\
    \"]]\" start-date=\$date start-time=\$time];}}" rate-limit=256k/2048k
/ip pool
add name=vpn ranges=192.168.89.2-192.168.89.255
add name=pool_vlan2_Server ranges=10.0.20.2-10.0.20.254
add name=pool_vlan3_guests ranges=10.0.30.2-10.0.30.254
add name=pool_6-9 ranges=192.168.88.2-192.168.88.20
add name=pool_vlan4_HR ranges=10.0.10.150-10.0.10.190
/ip dhcp-server
add address-pool=pool_6-9 disabled=no interface=bridge6-9 name=server6-9
add address-pool=pool_vlan2_Server disabled=no interface=bridge_vlan2_Service \
    name=server_vlan2_Service
add address-pool=pool_vlan3_guests disabled=no interface=bridge_Vlan3_Guests \
    name=server_vlan3_Guests
add address-pool=pool_vlan4_HR disabled=no interface=bridge_Vlan4_HR name=\
    server_vlan4_HR
/ip hotspot
add address-pool=pool_vlan3_guests addresses-per-mac=1 disabled=no interface=\
    bridge_Vlan3_Guests name=hotspot1 profile=hsprof1
/ppp profile
set *0 bridge=bridge_Vlan4_HR
add bridge=bridge_Vlan4_HR local-address=10.0.10.1 name=server \
    remote-address=vpn
set *FFFFFFFE bridge=bridge_Vlan4_HR local-address=10.0.10.1 remote-address=\
    pool_vlan4_HR
/interface bridge port
add bridge=bridge6-9 interface=ether6
add bridge=bridge6-9 interface=ether7
add bridge=bridge6-9 interface=ether8
add bridge=bridge6-9 interface=ether9
add bridge=bridge_Vlan3_Guests interface=ether3
add bridge=bridge_Vlan4_HR interface=ether4
add bridge=bridge_vlan2_Service interface=vlan2_Service
add bridge=bridge_Vlan3_Guests interface=vlan3_Guests
add bridge=bridge_Vlan4_HR interface=vlan4_HR
add bridge=bridge_Vlan4_HR interface=wlan_HR
add bridge=bridge_Vlan3_Guests interface=wlan_HotSpot
add bridge=bridge_vlan2_Service interface=wlan_Service
add bridge=bridge_vlan2_Service disabled=yes interface=WAN2
/interface bridge settings
set use-ip-firewall=yes
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface l2tp-server server
set enabled=yes use-ipsec=yes
/interface list member
add interface=bridge_Vlan4_HR list=LAN
add comment=defconf interface=WAN1 list=WAN
add interface=bridge6-9 list=LAN
add interface=bridge_Vlan3_Guests list=LAN
add interface=bridge_vlan2_Service list=LAN
add interface=l2tp-in1 list=LAN
add interface=l2tp-in2 list=LAN
add interface=WAN2 list=WAN
/interface pptp-server server
set enabled=yes
/interface sstp-server server
set default-profile=default-encryption enabled=yes
/interface wireless access-list
add vlan-mode=no-tag
/ip address
add address=10.0.10.1/24 comment=defconf interface=vlan4_HR network=10.0.10.0
add address=10.0.20.1/24 interface=vlan2_Service network=10.0.20.0
add address=10.0.30.1/24 interface=vlan3_Guests network=10.0.30.0
add address=192.168.88.1/24 interface=ether6 network=192.168.88.0
add address=192.168.1.250/24 interface=WAN1 network=192.168.1.0
add address=10.1.10.90/24 interface=WAN2 network=10.1.10.0
add address=192.168.0.120/24 interface=WAN2 network=192.168.0.0
/ip cloud
set update-time=no
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid interface=WAN1
add dhcp-options=hostname,clientid interface=WAN2
/ip dhcp-server network
add address=10.0.10.0/24 comment=defconf gateway=10.0.10.1 netmask=24
add address=10.0.20.0/24 comment=defconf gateway=10.0.20.1 netmask=24
add address=10.0.30.0/24 comment=defconf gateway=10.0.30.1 netmask=24
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip dns static
add address=10.0.10.1 name=router.lan
add address=192.168.2.25 disabled=yes name=clients1.google.com
add address=192.168.2.25 disabled=yes name=clients3.google.com
add address=192.168.2.25 disabled=yes name=connectivitycheck.android.com
add address=192.168.2.25 disabled=yes name=connectivitycheck.gstatic.com
/ip firewall address-list
add address=10.0.30.2-10.0.30.254 list=guestss
----SOME BLACKLISTED ADDRESSES---------------
/ip firewall filter
add action=accept chain=input comment=api dst-port=3306 protocol=udp
add action=accept chain=input comment=api dst-port=3306 protocol=tcp
add action=passthrough chain=unused-hs-chain comment=\
    "place hotspot rules here" disabled=yes
add action=return chain=hs-unauth disabled=yes dst-address=XXX.XXX.XXX(STATIC PUBLIC IP) \
    in-interface=bridge_Vlan3_Guests
add action=return chain=hs-unauth-to disabled=yes out-interface=\
    bridge_Vlan3_Guests src-address=XXX.XXX.XXX(STATIC PUBLIC IP)
add action=accept chain=forward disabled=yes dst-port=80 in-interface=WAN1 \
    protocol=tcp
add action=drop chain=input comment=\
    "Drop new connections from blacklisted IP's to this router" \
    connection-state=new in-interface=WAN1 src-address-list=blacklist
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=forward comment="allow ISP Modem to HR(vlan4)" \
    dst-address=192.168.1.1 src-address=10.0.10.0/24
add action=accept chain=forward comment="allow CPSRV to Service(vlan2)" \
    dst-address=10.0.10.2 src-address=10.0.20.0/24
add action=drop chain=forward comment="Drop From Service(vlan2) To HR(vlan4)" \
    dst-address=10.0.10.0/24 src-address=10.0.20.0/24
add action=drop chain=forward comment="Drop From Guests(vlan3) To HR(vlan4)" \
    dst-address=10.0.10.0/24 src-address=10.0.30.0/24
add action=drop chain=forward comment=\
    "Drop From Service(vlan2) To Guests(vlan3)" dst-address=10.0.30.0/24 \
    src-address=10.0.20.0/24
add action=drop chain=forward comment=\
    "Drop From Guests(vlan3) To Service(vlan2)" dst-address=10.0.20.0/24 \
    src-address=10.0.30.0/24
add action=drop chain=forward comment="Isolate Vlan3 IPs" in-interface=\
    bridge_Vlan3_Guests out-interface=bridge_Vlan3_Guests
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=drop chain=input comment="Block 389 for DNS fix" dst-port=389 \
    in-interface=WAN1 protocol=udp
add action=drop chain=input comment="Block 389 for DNS fix" dst-port=389 \
    in-interface=WAN1 protocol=tcp
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 \
    protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related disabled=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment=\
    "place hotspot rules here" disabled=yes
add action=return chain=hs-unauth disabled=yes dst-address=XXX.XXX.XXX(STATIC PUBLIC IP) \
    in-interface=bridge_Vlan3_Guests
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
    10.0.10.0/24
------------SOME dst-nat-----------------------------
add action=masquerade chain=srcnat comment="masquerade hotspot network" \
    src-address=10.0.30.0/24
/ip hotspot user
add name=admin
/ip hotspot walled-garden
add comment="place hotspot rules here" disabled=yes
add disabled=yes dst-host=*facebook*
add disabled=yes dst-host=*akamaihd*
add disabled=yes dst-host=*fbcdn*
add disabled=yes dst-host=*instagram*
add disabled=yes dst-host=*google*
add disabled=yes dst-host=*googleapis*
add disabled=yes dst-host=*gstatic*
add disabled=yes dst-host=*googleusercontent*
add disabled=yes dst-host=*twitter*
add disabled=yes dst-host=*twimg*
add dst-host=*ipologistakias.gr*
add dst-host=*.socifi.com
add dst-host=*.facebook.com
add dst-host=*.akamaihd.net
add dst-host=*.akamai.net
add dst-host=*.edgecastcdn.net
add dst-host=*.edgekey.net
add dst-host=*.akamaiedge.net
add dst-host=*.twitter.com
add dst-host=twitter.com
add dst-host=*.twimg.com
add dst-host=*.fastly.net
add dst-host=*.licdn.net
add dst-host=*.cloudfront.net
add dst-host=facebook.com
add dst-host=*.fbcdn.net
add dst-host=*.instagram.com
add dst-host=instagram.com
add dst-host=*.cdninstagram.com
add dst-host=*.linkedin.com
add dst-host=linkedin.com
add dst-host=*.licdn.com
add dst-host=*.googleapis.com
add dst-host=*.googleusercontent.com
add dst-host=*.gstatic.com
add dst-host=*.accounts.youtube.com
add dst-host=*.apis.google.com
add dst-host=*.accounts.google.com
add dst-host=*.l.google.com
add dst-host=accounts.google.com
add dst-host=accounts.google.gr
/ip hotspot walled-garden ip
add action=accept disabled=no dst-address=XXX.XXX.XXX(STATIC PUBLIC IP) !dst-address-list \
    !dst-port !protocol server=hotspot1 !src-address !src-address-list
add action=accept disabled=no dst-address=8.8.8.8 !dst-address-list !dst-port \
    !protocol server=hotspot1 !src-address !src-address-list
/ip ipsec peer
add exchange-mode=main-l2tp generate-policy=port-strict passive=yes
/ip route
add distance=1 gateway=10.1.10.1 routing-mark=via-WAN2
add distance=1 gateway=192.168.1.1
/ip route rule
add dst-address=10.0.0.0/8 table=main
add dst-address=192.168.0.0/16 table=main
add action=lookup-only-in-table src-address=10.0.20.0/24 table=via-WAN2
add action=lookup-only-in-table src-address=10.0.30.0/24 table=via-WAN2
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=10.0.10.0/24
set ssh disabled=yes
set www-ssl address=10.0.10.0/24
set api address=0.0.0.0/0 port=3306
set winbox address=10.0.10.0/24
set api-ssl disabled=yes
/lcd
set backlight-timeout=never default-screen=stats time-interval=hour
/lcd interface pages
set 0 interfaces=wlan_HR
/ppp secret
add name=vpn
add name=vpn2
add name=ppp1ovpn profile=server
/snmp
set enabled=yes
/system clock
set time-zone-name=Europe/Athens
/system identity
set name=ComPoint
/system logging
add disabled=yes topics=l2tp
add topics=e-mail
/system ntp client
set enabled=yes server-dns-names=\
    0.pool.ntp.org,1.pool.ntp.org,2.pool.ntp.org,3.pool.ntp.org
/system routerboard settings
set silent-boot=no
--------------SOME SCRIPTS----------
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

The second Mikrotik configuration:

# jun/09/2019 10:16:23 by RouterOS 6.42.6
# software id = LTIE-SZY1
#
# model = RouterBOARD 941-2nD
# serial number = xxxxxxxxxxxx
/interface bridge
add admin-mac=xx:xx:xx:xx:xx:75 auto-mac=no name=bridge_vlan10
add admin-mac=xx:xx:xx:xx:xx:75 auto-mac=no name=bridge_vlan20
add admin-mac=xx:xx:xx:xx:xx:75 auto-mac=no name=bridge_vlan30
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce \
    country=greece disabled=no distance=indoors frequency=auto mode=ap-bridge \
    ssid=HomeWiFi_Down tx-power=22 tx-power-mode=all-rates-fixed \
    wireless-protocol=802.11
/interface l2tp-client
add connect-to=XXX.XXX.XXX.XXX(other MT static PUBLIC ip) name=l2tp-out1 use-ipsec=yes user=vpn2
/interface vlan
add interface=ether4 name=vlan10_a vlan-id=10
add interface=ether4 name=vlan20_n vlan-id=20
add interface=ether4 name=vlan30_guests vlan-id=30
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=\
    dynamic-keys supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk eap-methods="" \
    management-protection=allowed name=Hotspot_profile supplicant-identity=""
/interface wireless
add disabled=no keepalive-frames=disabled mac-address=02:00:00:AA:00:01 \
    master-interface=wlan1 multicast-buffering=disabled name=wlan2 \
    security-profile=Hotspot_profile ssid=Free_Wi-Fi wds-cost-range=0 \
    wds-default-cost=0 wps-mode=disabled
/ip hotspot profile
add dns-name=login-hs.com hotspot-address=10.1.30.1 login-by=\
    http-chap,http-pap name=hsprof1
/ip hotspot user profile
set [ find default=yes ] on-login="{:local date [/system clock get date ];:loc\
    al time [/system clock get time ];:local uptime (1d);:local macaddressnya \
    \$\"mac-address\";:local ipaddressnya \$\"address\";[/ip hotspot user set \
    mac-address=\$\"macaddressnya\" comment=\"social_login\" [find where name=\
    \$user]];[/system scheduler add disabled=no interval=\$uptime name=\$user \
    on-event= \"[/ip hotspot active remove [find where user=\$user]];[/ip hots\
    pot user remove [find where name=\$user]];[/ip hotspot cookie remove [find\
    \_user=\$user]];[/sys sch re [find where name=\$user]]\" start-date=\$date\
    \_start-time=\$time];}}" rate-limit=256k/2048k
add name=social on-login="{:local date [/system clock get date ];:local time [\
    /system clock get time ];:local uptime (1d);:local macaddressnya \$\"mac-a\
    ddress\";:local ipaddressnya \$\"address\";[/ip hotspot user set mac-addre\
    ss=\$\"macaddressnya\" comment=\"social_login\" [find where name=\$user]];\
    [/system scheduler add disabled=no interval=\$uptime name=\$user on-event=\
    \_\"[/ip hotspot active remove [find where user=\\\"\$user\\\"]];[/ip hots\
    pot user remove [find where name=\\\"\$user\\\"]];[/ip hotspot cookie remo\
    ve [find user=\\\"\$user\\\"]];[/sys sch re [find where name=\\\"\$user\\\
    \"]]\" start-date=\$date start-time=\$time];}}" rate-limit=256k/2048k
/ip pool
add name=dhcp ranges=10.1.10.100-10.1.10.200
add name=vpn ranges=192.168.89.2-192.168.89.255
add name=pool_vlan20 ranges=10.1.20.100-10.1.20.200
add name=pool_vlan30 ranges=10.1.30.100-10.1.30.200
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge_vlan10 name=defconf
add address-pool=pool_vlan20 disabled=no interface=bridge_vlan20 name=\
    server_vlan20_n
add address-pool=pool_vlan30 disabled=no interface=bridge_vlan30 name=\
    server_vlan30_guests
/ip hotspot
add address-pool=pool_vlan30 disabled=no interface=bridge_vlan30 name=\
    hotspot1 profile=hsprof1
/queue simple
add disabled=yes max-limit=5M/50M name=queue_All target=10.1.10.0/24
add disabled=yes max-limit=10M/3M name=queue1 parent=queue_All target=\
    10.0.10.200/32
/interface bridge port
add bridge=bridge_vlan10 comment=A interface=ether2
add bridge=bridge_vlan10 interface=wlan1
add bridge=bridge_vlan10 interface=vlan10_a
add bridge=bridge_vlan20 comment=N interface=ether3
add bridge=bridge_vlan20 interface=vlan20_n
add bridge=bridge_vlan30 comment=Guests interface=vlan30_guests
add bridge=bridge_vlan30 interface=wlan2
/interface bridge settings
set use-ip-firewall=yes
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface l2tp-server server
set enabled=yes use-ipsec=yes
/interface list member
add comment=defconf interface=bridge_vlan10 list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=bridge_vlan20 list=LAN
add interface=bridge_vlan30 list=LAN
add interface=l2tp-out1 list=LAN
/interface pptp-server server
set enabled=yes
/interface sstp-server server
set default-profile=default-encryption enabled=yes
/ip address
add address=10.1.10.1/24 comment=a interface=vlan10_a network=10.1.10.0
add address=10.1.20.1/24 comment=n interface=vlan20_n network=10.1.20.0
add address=10.1.30.1/24 comment=guests interface=vlan30_guests network=\
    10.1.30.0
add address=192.168.1.253/24 comment=Internet interface=ether1 network=\
    192.168.1.0
add address=192.168.0.159/24 comment=a interface=vlan10_a network=\
    192.168.0.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid interface=ether1
/ip dhcp-server lease
add address=10.1.10.197 comment="xxxxxxxxxxxxx" mac-address=xx:xx:xx:xx:61:74 \
    server=defconf
add address=10.1.10.196 comment="xxxxxxxxxxx" mac-address=xx:xx:xx:xx:E9:94 \
    server=defconf
/ip dhcp-server network
add address=10.1.10.0/24 comment=defconf gateway=10.1.10.1 netmask=24
add address=10.1.20.0/24 comment=defconf gateway=10.1.20.1 netmask=24
add address=10.1.30.0/24 comment=defconf dns-server=10.1.30.1 gateway=\
    10.1.30.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip dns static
add address=10.1.10.1 name=router.lan
add address=192.168.0.111 name=clients1.google.com ttl=5m
add address=192.168.0.111 name=clients3.google.com ttl=5m
add address=192.168.0.111 name=connectivitycheck.android.com ttl=5m
add address=192.168.0.111 name=clients.l.google.com ttl=5m
add address=192.168.0.111 name=connectivitycheck.gstatic.com ttl=5m
/ip firewall filter
add action=passthrough chain=unused-hs-chain comment=\
    "place hotspot rules here"
add action=drop chain=forward comment=\
    "Drop From Guests(vlan30) To A(vlan10)" dst-address=10.1.10.0/24 \
    src-address=10.1.30.0/24
add action=drop chain=forward comment=\
    "Drop From Guests(vlan30) To N(vlan20)" dst-address=10.1.20.0/24 \
    src-address=10.1.30.0/24
add action=drop chain=forward comment=\
    "Drop From N(vlan20) To A(vlan10)" dst-address=10.1.10.0/24 \
    src-address=10.1.20.0/24
add action=drop chain=forward comment=\
    "Drop From N(vlan20) To guests(vlan30)" dst-address=10.1.30.0/24 \
    src-address=10.1.20.0/24
add action=accept chain=input comment=api dst-port=3307 protocol=tcp
add action=accept chain=input comment=api dst-port=3307 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=forward comment="allow ISP Modem to A(vlan10)" \
    dst-address=192.168.1.250 src-address=10.1.10.0/24
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 \
    protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related disabled=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment=\
    "place hotspot rules here"
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
    192.168.89.0/24
add action=accept chain=srcnat dst-address=10.1.10.0/24 src-address=\
    10.0.10.0/24
add action=accept chain=srcnat dst-address=10.1.10.197 src-address=\
    10.1.10.196
add action=accept chain=srcnat dst-address=10.1.10.196 src-address=\
    10.1.10.197
add action=accept chain=srcnat dst-address=10.0.10.0/24 src-address=\
    10.1.10.0/24
add action=dst-nat chain=dstnat comment=Hotspot dst-port=3307 in-interface=\
    ether1 protocol=tcp to-addresses=10.1.10.1 to-ports=3307
add action=dst-nat chain=dstnat comment=Hotspot dst-port=3307 in-interface=\
    ether1 protocol=udp to-addresses=10.1.10.1 to-ports=3307
---------------some dst-nat rules--------------------
add action=masquerade chain=srcnat comment="masquerade hotspot network" \
    src-address=10.1.30.0/24
/ip firewall service-port
set sip disabled=yes
/ip hotspot user
add name=admin
add comment=Guests name=d
/ip hotspot walled-garden
add comment="place hotspot rules here" disabled=yes
add disabled=yes dst-host=*facebook*
add disabled=yes dst-host=*akamai*
add disabled=yes dst-host=*fbcdn*
add disabled=yes dst-host=*google*
add disabled=yes dst-host=*googleapis*
add disabled=yes dst-host=*gstatic*
add dst-host=*ipologistakias*
add dst-host=*.facebook.com
add dst-host=*.akamaihd.net
add dst-host=*.akamai.net
add dst-host=*.edgecastcdn.net
add dst-host=*.edgekey.net
add dst-host=*.akamaiedge.net
add dst-host=*.twitter.com
add dst-host=twitter.com
add dst-host=*.twimg.com
add dst-host=*.fastly.net
add dst-host=*.licdn.net
add dst-host=*.cloudfront.net
add dst-host=facebook.com
add dst-host=*.fbcdn.net
add dst-host=*.instagram.com
add dst-host=instagram.com
add dst-host=*.cdninstagram.com
add dst-host=*.linkedin.com
add dst-host=linkedin.com
add dst-host=*.licdn.com
add dst-host=*.googleapis.com
add dst-host=*.googleusercontent.com
add dst-host=*.gstatic.com
add dst-host=*.accounts.youtube.com
add dst-host=*.apis.google.com
add dst-host=*.accounts.google.com
add dst-host=*.l.google.com
add dst-host=accounts.google.com
add dst-host=accounts.google.gr
/ip hotspot walled-garden ip
add action=accept disabled=no dst-address=XXX.XXX.XXX.XXX(other MT static PUBLIC ip) !dst-address-list \
    !dst-port !protocol server=hotspot1 !src-address !src-address-list
add action=accept disabled=no dst-address=8.8.8.8 !dst-address-list !dst-port \
    !protocol server=hotspot1 !src-address !src-address-list
/ip route
add distance=1 gateway=192.168.1.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api port=3307
set winbox address=10.1.10.0/24,10.0.10.0/24
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/Athens
/system logging
add disabled=yes topics=l2tp
add topics=e-mail
/system routerboard settings
set silent-boot=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

I want to fix some things like:

• 10.0.10.xx(vlan2) from siteA and 10.1.10.xx(vlan10_a) from siteB can see each other
  can both see 192.168.155-156
  can both see the two isp modems(i think i must change one ip of one modem because they have the same ip)
  they will be isolated from all other vlans siteA and siteB.
• From 10.0.20.xx(vlan2_Service) siteA can see 10.0.10.2 and 10.0.10.11 (vlan2) from siteA.
• All the vlan users can see eatch other from the same vlan only with the exceptions i write above and the vlan30_guests siteA and vlan3_Guests siteB will not see each other and from the same vlan.

Any help is appreciated.

Before I even start to read your configurations in detail, please clarify the requirements, I’m a bit confused:

So what you’ve described above are behaviours which you want to fix (i.e. the target state is that hosts in 10.0.10.0/24 can not see hosts in 10.1.10.0/24 and the current (wrong) state is that they can)? Or this is what you want to happen, i.e. the target state is that hosts in 10.0.10.0/24 can see hosts in 10.1.10.0/24?

What exceptions do you have in mind? All what you wrote above deals with hosts in different VLANs.

I suppose both the vlans you mention are actually only used by wireless devices, so the isolation of clients of the same AP must be provided by the AP. However, already with vlan3_Guests at Site A, you have two APs, the D-Link one and Mikrotik’s own one (and it is not clear whether you have just a single external one as the drawing shows one but the bridge_vlan3_Guests has one access port (ether3) and one trunk port (ether5)). So by setting default-forwarding in the /interface wireless settings to no you can prevent clients connected to that AP from seeing each other, and there is probably a similar setting at the D-Link AP, but to prevent a client connected to the 2011 from seeing a client connected to the D-Link, you have to set the same horizon value to all /interface bridge port items with bridge=bridge_Vlan3_Guests to prevent frames to be forwarded from one AP to another one while allowing all APs to exchange frames with the Mikrotik itself, or do the same using /interface bridge filter rules.

Your existing rule action=drop chain=forward comment=“Isolate Vlan3 IPs” in-interface=bridge_Vlan3_Guests out-interface=bridge_Vlan3_Guests in /ip firewall filter serves the purpose described above but for the cost of all bridged frames, including those on bridges which don’t need host isolation, being pushed through the IP firewall (so probably wasting more CPU than necessary) due to use-ip-firewal in /interface bridge settings being set to yes. But as explained above, it only handles traffic between ports of the bridge, which is not the case for traffic between clients of the same AP.

Additionally, you have a basic mistake there, the IP configuration must be attached to bridge_vlan3_Guests, not to just one of its slave interfaces, vlan3_Guests.


Also, I didn’t get the two lines connecting the Ubiquiti at Site B as the Ubiquiti LB3-5AC-23 has just a single Ethernet port. What’s the idea behind those two lines, does one of them represent a physical connection and the other one a logical one?

Hello.
First sorry for my English.

Before I even start to read your configurations in detail, please clarify the requirements, I’m a bit confused:
I want to fix some things like:

• 10.0.10.xx(vlan2) from siteA and 10.1.10.xx(vlan10_a) from siteB can see each other
  can both see 192.168.155-156
  can both see the two isp modems(i think i must change one ip of one modem because they have the same ip)
  …
  So what you’ve described above are behaviours which you want to fix (i.e. the target state is that hosts in 10.0.10.0/24 can not see hosts in 10.1.10.0/24 and the current (wrong) state is that they can)? Or this is what you want to happen, i.e. the target state is that hosts in 10.0.10.0/24 can see hosts in 10.1.10.0/24?

The things i write is the target state i.e. that hosts in 10.0.10.0/24 must see hosts in 10.1.10.0/24.

All the vlan users can see eatch other from the same vlan only with the exceptions i write above
What exceptions do you have in mind? All what you wrote above deals with hosts in different VLANs.

i want vlan4_HR (that is the internal network with file servers,voip servers, organizations computers, voip phones and other) to be accessable from vlan10_a
i.e. Now im connected to MT wifi “HomeWiFi_Down” at siteB(witch is vlan10_a) but i can not ping 10.0.10.1 or access MT siteA(vlan4_HR) via winbox and i want to be able to.
so the config i need is:
10.0.10.xx to be able to see 10.1.10.xx
10.1.10.xx to be able to see 10.0.10.xx
10.0.20.xx to be able to see only 10.0.10.11 and 10.0.10.2 from 10.0.10.xx vlan
10.0.10.xx and 10.1.10.xx to be able to see the two modems and the two ubiquity devices that connect the two sites

the vlan30_guests siteA and vlan3_Guests siteB will not see each other and from the same vlan.
I suppose both the vlans you mention are actually only used by wireless devices, so the isolation of clients of the same AP must be provided by the AP. However, already with vlan3_Guests at Site A, you have two APs, the D-Link one and Mikrotik’s own one (and it is not clear whether you have just a single external one as the drawing shows one but the bridge_vlan3_Guests has one access port (ether3) and one trunk port (ether5)). So by setting default-forwarding in the /interface wireless settings to no you can prevent clients connected to that AP from seeing each other, and there is probably a similar setting at the D-Link AP, but to prevent a client connected to the 2011 from seeing a client connected to the D-Link, you have to set the same horizon value to all /interface bridge port items with bridge=bridge_Vlan3_Guests to prevent frames to be forwarded from one AP to another one while allowing all APs to exchange frames with the Mikrotik itself, or do the same using /interface bridge filter rules.

Your existing rule action=drop chain=forward comment=“Isolate Vlan3 IPs” in-interface=bridge_Vlan3_Guests out-interface=bridge_Vlan3_Guests in /ip firewall filter serves the purpose described above but for the cost of all bridged frames, including those on bridges which don’t need host isolation, being pushed through the IP firewall (so probably wasting more CPU than necessary) due to use-ip-firewal in /interface bridge settings being set to yes. But as explained above, it only handles traffic between ports of the bridge, which is not the case for traffic between clients of the same AP.

Additionally, you have a basic mistake there, the IP configuration must be attached to bridge_vlan3_Guests, not to just one of its slave interfaces, vlan3_Guests.

For wifi at the moment i use the internal wifi of two Mikrotik but i want to be able to put more AP’s.

I dont understand some parts

So by setting default-forwarding in the /interface wireless settings to no you can prevent clients connected to that AP from seeing each other, and there is probably a similar setting at the D-Link AP, but to prevent a client connected to the 2011 from seeing a client connected to the D-Link, you have to set the same horizon value to all /interface bridge port items with bridge=bridge_Vlan3_Guests to prevent frames to be forwarded from one AP to another one while allowing all APs to exchange frames with the Mikrotik itself, or do the same using /interface bridge filter rules.

so if i want guests isolation i have to do it from settings of each external AP device.
remove existing rule action=drop chain=forward comment=“Isolate Vlan3 IPs” in-interface=bridge_Vlan3_Guests out-interface=bridge_Vlan3_Guests .
use-ip-firewal in /interface bridge settings set to NO .
and i dont understand

you have to set the same horizon value to all /interface bridge port items with bridge=bridge_Vlan3_Guests

about

Additionally, you have a basic mistake there, the IP configuration must be attached to bridge_vlan3_Guests, not to just one of its slave interfaces, vlan3_Guests.

you say that i have to change
/ip address
add address=10.0.30.1/24 interface=vlan3_Guests network=10.0.30.0
to
/ip address
add address=10.0.30.1/24 interface=bridge_vlan3_Guests network=10.0.30.0 ?

Also, I didn’t get the two lines connecting the Ubiquiti at Site B as the Ubiquiti LB3-5AC-23 has just a single Ethernet port. What’s the idea behind those two lines, does one of them represent a physical connection and the other one a logical one?

the two ubiquity connect the two sites 2.5km so i can use the internet from siteB to siteA and so i can access both vlan4_HR and vlan10_a

i’m not good with english. i hope that i make things more clear now.

That’s not so much a matter of English but rather of an abilty to read your post before actually sending it as if you were a first-time reader. It’s a skill of its own kind which I also haven’t mastered yet

OK, that’s a great start. I prefer that the firewalls to follow the “drop everything, allow only exceptions” philosophy, as when you forget to permit something, your legal users let you know quickly. If you run the “allow everything, drop only exceptions” model, your illegal users will never tell you what you’ve forgotten to drop.

In the last line above, I read “to see” in the meaning of “to be able to manage”, is that a correct understanding? And if yes, are you sure it is that what you really want? Because it is not necessary to permit access to management of the Unifi radios to all hosts in 10.0.10.0/24 and 10.1.10.0/24 in order to allow the hosts to route their other traffic through the radios, that’s separate things.

I would recommend to use cAP ac or hAP ac² for this task rather than some D-link stuff. It is convenient to have all your SSIDs up on each AP, and the advantage of the other APs being also Mikrotik ones is that you can use CAPsMAN to centrally manage all the clients as if by a single AP although they are physically migrating among several physical ones. And if you do take that way, one of these devices should also take over the routing and firewalling tasks of the 2011 because let’s face it, their CPUs are much more powerful than the one of the 2011.

The first thing you have to understand is that /ip firewall normally works at L3, i.e. it affects packets routed between subnets. Clients within the same IP subnet send frames carrying IP packets directly to each other, so if two such clients are connected e.g. to your D-link 24-port switch, these frames never arrive to Mikrotik as they take the shortest path available, which is between the ports of the D-link. And you can see a wireless AP as an equivalent of the D-link - frames sent between clients of the same SSID on the same AP are normally forwarded (or not) only by the AP, they don’t get anywhere else. So regardless whether you use /interface bridge filter (which you can see as an L2 firewall) or whether you force bridge forwarding through the L3 firewall, it only works on frames whose native path goes through the Mikrotik.

This is true for isolation of guests associated to the same AP (not only external ones, also Mikrotik’s own one). Two guests, each associated to another one out of APs interconnected at L2 level, will see each other even when you disable client-to-client forwarding at the APs. When an AP receives a frame over the air for a MAC address of another client of itself, it knows by the associations table that the destination is another client of itself, so it can decide not to forward it. But when it receives a frame for a MAC address which is not in the client associations table, it must forward it to the “wired” side as it doesn’t know whether it is a MAC of another AP’s client or a MAC of the gateway.

That existing rule is one of the possible ways how to isolate clients of different APs connected to each other at L2 level from each other. Its only negative aspect is that it indirectly adds unnecessary CPU load, because in order to make it work, you have to run traffic of all bridges in the system through the IP firewall. So if you remove it, you have to functionally replace it by something else providing the same functionality. One possibility is to use the “horizon” value which is a really simple method - traffic on the bridge is only forwarded between ports with different values of “horizon” or, in another words, traffic on the bridge is never forwarded between ports with the same value of “horizon”. You don’t need to set up anything else, just assign the same horizon value to all the ports of the bridge, to isolate the APs from each other. If you’d use a single bridge for multiple VLANs, which you currently don’t, this method would be too coarse, so you would have to do the same using /interface bridge filter rules which would allow you to take VLAN IDs into account (so that you would be able to permit forwarding from port A to port B for VLAN X but not for VLAN Y).

Correct. There may be other similar mistakes too, I’ve just spotted only this one as I was looking only at the bridge_vlan3_Guests configiration because it is the only one affected by the client isolation topic.

You didn’t get me. I understand that the Ubiquiti radios interconnect the sites, but the drawing says that the Ubiquiti at the right site is connected both to the 2011 and to the “simple GB switch” at the same time which is physically impossible. So I’m asking whether it is just a mistake or whether there is some deeper thought behind it, just poorly expressed by the drawing.

As for using the internet uplink of the “remote” site as a backup of the internet uplink of each “local” site, it is definitely possible, it just requires policy routing.

i understand the diference and i want my firewall to be “drop everything, allow only exceptions”. is my firewall correct for this?

i only want to have access at the 2 ubiquity antenna so i can see the link. i think that i can give antennass 10.0.10.xxx ip so i will able to go to web interface from 10.0.10.xxx and from 10.1.10.xxx network. is that ok?

For the moment and for test only i will use 790l that i allready have and for the future i will play with cAP for sure.

so if i get it corect i have to go to bridge-ports and every port tha is at the same bridge “bridge_Vlan3_Guests” to put at the same horizon so trafic wil not go from one to other

ok i read about horizon and i think that i understand… i will set the same horizon value to all /interface bridge port items with bridge=bridge_Vlan3_Guests and i will uncheck “use ip firewall” at brdge - bridge - settings.

So so so sorry i didnt see it. its mistake at the drawing… i realy dont have “deeper thought behind it” i only want to connect siteA to SiteB

So i get it about horizon and issolation i think.
Another problem tha i see is that i can not access 10.0.10.xx from 10.1.10.xx but i only can access 10.1.10.xx from 10.0.10.xx
i try to add at ip-routes one route with dst.10.0.10.0/24 and gateway 10.1.10.90 witch is the ip from the siteA wan2 port but i only can ping 10.0.10.1 from 10.1.10.xx
And one question that i have is what else is efected dy turn off IP firewall? the rules that i have at firewall like the one to able to aceess only 10.0.10.2 from 10.0.20.xx but nothin else from 10.0.10,xx is that get efected?

In its current shape not so much, because you’ve basically taken the default firewall provided by Mikrotik for SOHO devices and added some action=drop rules to it. But the default firewall is designed for the “1 internet-facing WAN, 1 LAN with no dangerous device” case, so the last “drop the rest” rule of each chain always has some exception; in chain forward it is “drop everything what comes from WAN if it has not been dst-nated”, so packets between different LAN subnets are not dropped, which you substitute by dropping them by some of the preceding rules. To follow the philosophy mentioned above strictly, you’d have to remove the “in-interface=WAN” (and also the connection-nat-state=dstnat if you don’t plan any dst-nated connection from outside to be permitted) from the last rule in forward. This will make all the action=drop rules before this one redundant, but you’ll have to add permissive rules for the traffic you want to let through. In the simplest case these can be “in-interface=X out-interface=Y action=accept”, in other cases, there will be more match conditions to provide more detailed selection.

Another thing to do is to put the “action=fasttrack connection-state=established,related,untracked” and “action=accept connection-state=established,related,untracked” rules to the top of the chain. The idea of a stateful firewall is that you take the decision whether to permit or deny a connection while handling its initial packet, and letting all connections whose initial packet has been accepted to be accepted as a whole. This means that the bulk of the packets will be handled by fasttracking or, for those few packets which belong to fasttracked connections but are not actually fasttracked, by the first two rules in the forward chain, and only the initial packets of each connection will reach the selective rules following those first two ones.

Chain input (which deals with packets coming to Mikrotik itself) basically needs a similar reworking, plus I’d personally restrict the access to management services (winbox, ssh, whatever else you use) only to one of the LANs. Just be very careful, add such permissive rule(s) for management access first, establish a new managament connection, check that the corresponding rule has counted a packet, and only then change the last rule in chain=input to “drop everything”.

Yes.

Yes.

Okay, but which connection actually exists? You haven’t updated the picture so there are still both

This may be both a routing issue and a firewall issue; “ip route check x.x.x.x” will tell you what is the out-interface for packets towards x.x.x.x regardless whether the firewall will them through or not. So you can use it to check which part is the problem, route or firewall.

I’m not sure I get this question. The default handling in all firewall chains is “accept”, so by turning off IP firewall (= removing or disabling all IP firewall rules) the access will be permitted for anybody anywhere if a route is available.Routes to “connected subnets” (those into which one of Mikrotik’s own addresses falls) are added automatically.

If by “turn off IP firewall” you mean setting of “use-ip-firewall” to “no” in bridge settings, it means that frames between member ports of the same bridge will not be handled by IP firewall, which is normally OK as hosts in the same subnet send packets to each other via the Mikrotik only if there is no shorter path between them (e.g. via the unmanaged switch).