I'm struggling with the best vlan configuration and I think I have made a few errors. I've asked Gemini like a million times but every time I correct something, I get new errors. It tells me to tag, and then not to tag... sigh

Could you guys take a look at my configuration?
The devices are:
WAN<->crr2116 router <->CRS326 switch <-> 2x HAP AX^3 ,and then there are some devices connected via ethernet to the switch...

The goal is to separate traffic using VLAN’s like this:

vlan10: wireless personal devices (iphone,ipad,laptops) and some vlan non-aware computers

vlan20: guest network with just internet access, no access to the other vlans except the AppleTV on the crs326

vlan30: IoT devices that should only have internet access, no access to other vlan’s

vlan99: management vlan

Network diagram is provided in the attached image.

Screenshot 2025-12-30 at 14.32.172482×1682 385 KB

switch config:
2025-12-29 21:36:41 by RouterOS 7.20.6

model = CCR2116-12G-4S+

/interface bridgeadd admin-mac=78:9A:18:A0:7B:E2 auto-mac=no comment=defconf name=bridgeLocal port-cost-mode=short priority=0x1000/interface wifi

(operated by CAP 18:FD:74:FE:E4:57%bridgeLocal, traffic processing on CAP)

add configuration.country=Sweden .mode=ap .ssid=MT2 disabled=no name=sec-home radio-mac=18:FD:74:FE:E4:5D security.authentication-types=wpa2-psk,wpa3-psk .ft=yes .ft-over-ds=yes
/interface vlan
add interface=bridgeLocal name=vlan10-home vlan-id=10
add interface=bridgeLocal name=vlan20-guest vlan-id=20
add interface=bridgeLocal name=vlan30-iot vlan-id=30
add interface=bridgeLocal name=vlan99-mgmt vlan-id=99
/interface list
add name=WAN
add name=LAN
/interface wifi channel
add band=2ghz-ax comment=ch-2g-01 disabled=no frequency=2412 name=ch-2g-01 width=20mhz
add band=2ghz-ax comment=ch-2g-06 disabled=no frequency=2437 name=ch-2g-06 width=20mhz
add band=2ghz-ax comment=ch-2g-11 disabled=no frequency=2462 name=ch-2g-11 width=20mhz
add band=5ghz-ax comment=ch-5g-36 disabled=no frequency=5180 name=ch-5g-36 skip-dfs-channels=disabled width=20/40/80+80mhz
add band=5ghz-ax comment=ch-5g-52 disabled=no frequency=5260 name=ch-5g-52 width=20/40/80+80mhz
add band=5ghz-ax comment=ch-5g-100 disabled=no frequency=5500 name=ch-5g-100 width=20/40/80+80mhz
/interface wifi datapath
add bridge=bridgeLocal comment=dp-home disabled=no name=dp-home vlan-id=10
add bridge=bridgeLocal comment=dp-guest disabled=no name=dp-guest vlan-id=20
add bridge=bridgeLocal comment=dp-iot disabled=no name=dp-iot vlan-id=30
/interface wifi security
add authentication-types=wpa3-psk comment=sec-home disabled=no ft=yes ft-over-ds=yes management-protection=required name=sec-home
add authentication-types=wpa3-psk comment=sec-guest disabled=no ft=yes ft-over-ds=yes management-protection=required name=sec-guest
add authentication-types=wpa2-psk comment=sec-iot disabled=no ft=yes ft-over-ds=yes name=sec-iot
/interface wifi configuration
add channel=ch-2g-06 comment=cfg-home-mid country=Sweden datapath=dp-home disabled=no name=cfg-home-mid security=sec-home ssid=HomeWiFi
add channel=ch-2g-11 comment=cfg-home-east country=Sweden datapath=dp-home disabled=no name=cfg-home-east security=sec-home ssid=HomeWiFi
add channel=ch-2g-11 comment=cfg-home-west country=Sweden datapath=dp-home disabled=no name=cfg-home-west security=sec-home ssid=HomeWiFi
add channel=ch-5g-36 channel.skip-dfs-channels=disabled .width=20/40/80mhz comment=cfg-home-east5 country=Sweden datapath=dp-home disabled=no name=cfg-home-east5 security=sec-home ssid=
HomeWiFi
add channel=ch-5g-52 channel.skip-dfs-channels=disabled .width=20/40/80mhz comment=cfg-home-mid5 country=Sweden datapath=dp-home disabled=no name=cfg-home-mid5 security=sec-home ssid=
HomeWiFi
add channel=ch-5g-100 channel.skip-dfs-channels=disabled .width=20/40/80mhz comment=cfg-home-west5 country=Sweden datapath=dp-home disabled=no name=cfg-home-west5 security=sec-home
ssid=HomeWiFi
add comment=cfg-guest-east country=Sweden datapath=dp-guest disabled=no name=cfg-guest-east security=sec-guest ssid=GuestWiFi
/ip pool
add name=dhcp ranges=192.168.1.2-192.168.1.254
add name=dhcp_pool1 ranges=192.168.99.2-192.168.99.254
add name=dhcp_pool2 ranges=192.168.10.2-192.168.10.254
add name=dhcp_pool3 ranges=192.168.20.2-192.168.20.254
add name=dhcp_pool4 ranges=192.168.30.2-192.168.30.254
/ip dhcp-server
add address-pool=dhcp interface=bridgeLocal lease-time=1d name=dhcp1
add address-pool=dhcp_pool1 interface=vlan99-mgmt name=dhcp2
add address-pool=dhcp_pool2 interface=vlan10-home name=dhcp3
add address-pool=dhcp_pool3 interface=vlan20-guest name=dhcp4
add address-pool=dhcp_pool4 interface=vlan30-iot name=dhcp5
/port
set 0 name=serial0
/interface bridge port
add bridge=bridgeLocal comment=defconf interface=ether1 internal-path-cost=10 path-cost=10
add bridge=bridgeLocal comment=defconf interface=ether2 internal-path-cost=10 path-cost=10
add bridge=bridgeLocal comment=defconf interface=ether3 internal-path-cost=10 path-cost=10
add bridge=bridgeLocal comment=defconf interface=ether4 internal-path-cost=10 path-cost=10
add bridge=bridgeLocal comment=defconf interface=ether5 internal-path-cost=10 path-cost=10
add bridge=bridgeLocal comment=defconf interface=ether6 internal-path-cost=10 path-cost=10
add bridge=bridgeLocal comment=defconf interface=ether7 internal-path-cost=10 path-cost=10
add bridge=bridgeLocal comment=defconf interface=ether8 internal-path-cost=10 path-cost=10
add bridge=bridgeLocal comment=defconf interface=ether9 internal-path-cost=10 path-cost=10
add bridge=bridgeLocal comment=defconf interface=ether10 internal-path-cost=10 path-cost=10
add bridge=bridgeLocal comment=defconf interface=ether11 internal-path-cost=10 path-cost=10
add bridge=bridgeLocal comment=defconf interface=ether12 internal-path-cost=10 path-cost=10
add bridge=bridgeLocal comment=defconf disabled=yes interface=ether13 internal-path-cost=10 path-cost=10
add bridge=bridgeLocal comment=defconf interface=sfp-sfpplus1 internal-path-cost=10 path-cost=10
add bridge=bridgeLocal comment=defconf interface=sfp-sfpplus2 internal-path-cost=10 path-cost=10
add bridge=bridgeLocal comment=defconf interface=sfp-sfpplus3 internal-path-cost=10 path-cost=10
add bridge=bridgeLocal comment=defconf interface=sfp-sfpplus4 internal-path-cost=10 path-cost=10
/ip firewall connection tracking
set udp-timeout=10s
/ipv6 settings
set disable-ipv6=yes
/interface bridge vlan
add bridge=bridgeLocal tagged=bridgeLocal,ether1,ether2,ether3,ether4,ether5,ether6,ether7,ether8,ether9,ether10,ether11,ether12,sfp-sfpplus1,sfp-sfpplus2,sfp-sfpplus3,sfp-sfpplus4
vlan-ids=99
add bridge=bridgeLocal tagged=bridgeLocal,sfp-sfpplus1 vlan-ids=10
add bridge=bridgeLocal tagged=bridgeLocal,sfp-sfpplus1 vlan-ids=20
add bridge=bridgeLocal tagged=bridgeLocal,sfp-sfpplus1 vlan-ids=30
/interface ethernet switch
set 0 l3-hw-offloading=yes
/interface list member
add interface=ether13 list=WAN
add interface=bridgeLocal list=LAN
add interface=vlan10-home list=LAN
add interface=vlan20-guest list=LAN
add interface=vlan99-mgmt list=LAN
add interface=vlan30-iot list=LAN
/interface ovpn-server server
add mac-address=FE:A9:AA:08:41:47 name=ovpn-server1
/interface wifi capsman
set ca-certificate=auto enabled=yes interfaces=bridgeLocal package-path="" require-peer-certificate=no upgrade-policy=suggest-same-version
/interface wifi provisioning
add action=create-dynamic-enabled comment="gamla techAP-AP 5ghz" disabled=no master-configuration=cfg-home-west5 radio-mac=18:FD:74:FE:D7:14 slave-configurations=cfg-guest-east
supported-bands=5ghz-ax
add action=create-dynamic-enabled comment="gamla techAP 2ghz" disabled=no master-configuration=cfg-home-west radio-mac=18:FD:74:FE:D7:15 slave-configurations=cfg-guest-east
supported-bands=2ghz-ax
add action=create-dynamic-enabled comment="gamla vardagsrumAP 5ghz" disabled=no master-configuration=cfg-home-east5 radio-mac=18:FD:74:FE:E4:5C slave-configurations=cfg-guest-east
supported-bands=5ghz-ax
/ip address
add address=192.168.1.1/24 interface=bridgeLocal network=192.168.1.0
add address=192.168.99.1/24 interface=vlan99-mgmt network=192.168.99.0
add address=192.168.10.1/24 interface=vlan10-home network=192.168.10.0
add address=192.168.20.1/24 interface=vlan20-guest network=192.168.20.0
add address=192.168.30.1/24 interface=vlan30-iot network=192.168.30.0
/ip cloud
set update-time=no
/ip dhcp-client
add interface=ether13 use-peer-dns=no use-peer-ntp=no
/ip dhcp-server lease
add address=192.168.1.117 client-id=1:18:fd:74:d2:2f:b9 mac-address=18:FD:74:D2:2F:B9 server=dhcp1
add address=192.168.1.207 client-id=ff:f:22:56:18:0:3:0:1:0:26:f:22:56:18 mac-address=00:26:0F:22:56:18 server=dhcp1
add address=192.168.1.106 client-id=1:a8:51:ab:8b:69:76 mac-address=A8:51:AB:8B:69:76 server=dhcp1
add address=192.168.1.133 client-id=1:18:fd:74:9c:a8:48 mac-address=18:FD:74:9C:A8:48 server=dhcp1
add address=192.168.1.238 client-id=1:10:7b:44:19:62:1b mac-address=10:7B:44:19:62:1B server=dhcp1
add address=192.168.1.62 client-id=1:6c:b:84:a3:bf:b2 mac-address=6C:0B:84:A3:BF:B2 server=dhcp1
add address=192.168.1.60 client-id=1:18:fd:74:fe:b8:6a mac-address=18:FD:74:FE:B8:6A server=dhcp1
add address=192.168.1.59 client-id=1:18:fd:74:fe:e4:57 mac-address=18:FD:74:FE:E4:57 server=dhcp1
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=192.168.1.1 gateway=192.168.1.1
add address=192.168.10.0/24 dns-server=192.168.10.1 gateway=192.168.10.1
add address=192.168.20.0/24 dns-server=192.168.20.1 gateway=192.168.20.1
add address=192.168.30.0/24 dns-server=192.168.30.1 gateway=192.168.30.1
add address=192.168.99.0/24 dns-server=192.168.99.1 gateway=192.168.99.1
/ip dns
set allow-remote-requests=yes use-doh-server=``https://1.1.1.1/dns-query`` verify-doh-cert=yes
/ip dns static
add address=1.1.1.1 name=1.1.1.1 type=A
add address=1.0.0.1 name=1.0.0.1 type=A
/ip firewall filter
add action=accept chain=input comment="Accept Established/Related" connection-state=established,related,untracked
add action=drop chain=input comment="Drop Invalid" connection-state=invalid
add action=accept chain=input comment="Allow ICMP" protocol=icmp
add action=accept chain=input comment="Allow LAN Management" in-interface-list=LAN
add action=accept chain=input comment="Allow CAPSman" dst-port=5246,5247 protocol=udp
add action=drop chain=input comment="Drop All Other Input"
add action=fasttrack-connection chain=forward comment=FastTrack connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="Accept Established/Related" connection-state=established,related,untracked
add action=drop chain=forward comment="Drop Invalid" connection-state=invalid
add action=drop chain=forward comment="vlan: block guest to home" dst-address=192.168.10.0/24 src-address=192.168.20.0/24
add action=drop chain=forward comment="vlan block iot to home" dst-address=192.168.10.0/24 src-address=192.168.30.0/24
add action=drop chain=forward comment="Drop WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip service
set ftp disabled=yes
set ssh disabled=yes
set telnet disabled=yes
set www disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/Stockholm
/system identity
set name="main router"
/system ntp client
set enabled=yes
/system ntp server
set enabled=yes
/system ntp client servers
add ``address=0.se.pool.ntp.org
add ``address=1.se.pool.ntp.org
add ``address=2.se.pool.ntp.org
add ``address=3.se.pool.ntp.org
/system routerboard settings
set enter-setup-on=delete-key
/tool bandwidth-server
set enabled=no
/tool romon
set enabled=yes

switch configuration

`# 2025-12-29 21:38:57 by RouterOS 7.20.6

model = CRS326-24G-2S+

/interface bridge
add admin-mac=18:FD:74:9C:A8:48 auto-mac=no comment=defconf name=bridge port-cost-mode=short priority=0x4000
/interface ethernet
set [ find default-name=ether16 ] comment="to AP vardagsrum"
set [ find default-name=ether20 ] comment="to Apple TV"
set [ find default-name=sfp-sfpplus1 ] comment="To router"
set [ find default-name=sfp-sfpplus2 ] comment="To media player"
/interface vlan
add comment=vlan99-mgmt interface=bridge name=vlan99-mgmt vlan-id=99
/interface list
add name=WAN
add name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether1 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether6 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether7 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether8 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether9 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether10 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether11 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether12 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether13 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether14 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether15 internal-path-cost=10 path-cost=10
add bridge=bridge comment="defconf & AP" interface=ether16 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether17 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether18 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether19 internal-path-cost=10 path-cost=10
add bridge=bridge comment="defconf & ATV" frame-types=admit-only-untagged-and-priority-tagged interface=ether20 internal-path-cost=10 path-cost=10 pvid=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether21 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether22 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether23 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether24 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf&router frame-types=admit-only-vlan-tagged interface=sfp-sfpplus1 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf&linn frame-types=admit-only-untagged-and-priority-tagged interface=sfp-sfpplus2 internal-path-cost=10 path-cost=10 pvid=10
/ip firewall connection tracking
set udp-timeout=10s
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes
/interface bridge vlan
add bridge=bridge tagged=bridge,sfp-sfpplus1 vlan-ids=99
add bridge=bridge tagged=sfp-sfpplus1,ether16 vlan-ids=10
add bridge=bridge tagged=sfp-sfpplus1,ether16 vlan-ids=20
add bridge=bridge tagged=sfp-sfpplus1,ether16 vlan-ids=30
/interface list member
add interface=ether1 list=WAN
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=ether6 list=LAN
add interface=ether7 list=LAN
add interface=ether8 list=LAN
add interface=ether9 list=LAN
add interface=ether10 list=LAN
add interface=ether11 list=LAN
add interface=ether12 list=LAN
add interface=ether13 list=LAN
add interface=ether14 list=LAN
add interface=ether15 list=LAN
add interface=ether16 list=LAN
add interface=ether17 list=LAN
add interface=ether18 list=LAN
add interface=ether19 list=LAN
add interface=ether20 list=LAN
add interface=ether21 list=LAN
add interface=ether22 list=LAN
add interface=ether23 list=LAN
add interface=ether24 list=LAN
add interface=sfp-sfpplus1 list=LAN
add interface=sfp-sfpplus2 list=LAN
/interface ovpn-server server
add auth=sha1,md5 mac-address=FE:2E:87:C2:16:78 name=ovpn-server1
/ip address
add address=192.168.99.2/24 comment="s\C3\A5 att switchen f\C3\A5r en IP p\C3\A5 vlan99" interface=vlan99-mgmt network=192.168.99.0
/ip cloud
set update-time=no
/ip dhcp-client
add interface=bridge
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/routing bfd configuration
add disabled=no interfaces=all min-rx=200ms min-tx=200ms multiplier=5
/system clock
set time-zone-name=Europe/Stockholm
/system identity
set name=vrumswitch
/system ntp client
set enabled=yes
/system ntp client servers
add address=192.168.1.1
/system swos
set allow-from-ports=p1,p2,p3,p4,p5,p6,p7,p8,p9,p10,p11,p12,p13,p14,p15,p16,p17,p18,p19,p20,p21,p22,p23,p24,p25,p26,p27,p28,p29,p30,p31 static-ip-address=192.168.1.200
/tool romon
set enabled=yes`

Would you be able to provide us with a diagram of the VLANs that should be set up and where should they run (trunk ports, access ports, etc.) as well as elaborate on any other requirements like inter-VLAN communication, internet access for a given VLAN…?

What @TheCat12 says. Plus if you are using AI to do this, it looks like you are new at vLANs. So just implement 1 vLAN at a time. If you use the AI for that first vLAN, then make sure you understand and agree with what you are told to do.

Could you please reformat your post with code tag < / > that let read configurations easier.

This is how properly posted code should look.

When you use the </> button, it works sometimes "correctly", auto-sensing that it is Mikrotik code, sometimes it doesn't.

The "basic" efffect of the </> button is to make three backticks before and three backticks after what is selected when you press it, then it should (but sometimes it doesn't) recognize that it is Mikrotik code and append to the three backticks "RouterOS".

Manually, it should be (I replaced the backticks with single quotes below):
'''RouterOS

'''

It is far from being "foolproof", an added backtick (or some other markdown meaningful characters)may mess the whole stuff.

Your configurations, actually readable (the added RouterOS makes it colourful and inside a scrollable code box):

# 2025-12-29 21:36:41 by RouterOS 7.20.6

# model = CCR2116-12G-4S+
/interface bridgeadd admin-mac=78:9A:18:A0:7B:E2 auto-mac=no comment=defconf name=bridgeLocal port-cost-mode=short priority=0x1000/interface wifi
(operated by CAP 18:FD:74:FE:E4:57%bridgeLocal, traffic processing on CAP)
add configuration.country=Sweden .mode=ap .ssid=MT2 disabled=no name=sec-home radio-mac=18:FD:74:FE:E4:5D security.authentication-types=wpa2-psk,wpa3-psk .ft=yes .ft-over-ds=yes
/interface vlan
add interface=bridgeLocal name=vlan10-home vlan-id=10
add interface=bridgeLocal name=vlan20-guest vlan-id=20
add interface=bridgeLocal name=vlan30-iot vlan-id=30
add interface=bridgeLocal name=vlan99-mgmt vlan-id=99
/interface list
add name=WAN
add name=LAN
/interface wifi channel
add band=2ghz-ax comment=ch-2g-01 disabled=no frequency=2412 name=ch-2g-01 width=20mhz
add band=2ghz-ax comment=ch-2g-06 disabled=no frequency=2437 name=ch-2g-06 width=20mhz
add band=2ghz-ax comment=ch-2g-11 disabled=no frequency=2462 name=ch-2g-11 width=20mhz
add band=5ghz-ax comment=ch-5g-36 disabled=no frequency=5180 name=ch-5g-36 skip-dfs-channels=disabled width=20/40/80+80mhz
add band=5ghz-ax comment=ch-5g-52 disabled=no frequency=5260 name=ch-5g-52 width=20/40/80+80mhz
add band=5ghz-ax comment=ch-5g-100 disabled=no frequency=5500 name=ch-5g-100 width=20/40/80+80mhz
/interface wifi datapath
add bridge=bridgeLocal comment=dp-home disabled=no name=dp-home vlan-id=10
add bridge=bridgeLocal comment=dp-guest disabled=no name=dp-guest vlan-id=20
add bridge=bridgeLocal comment=dp-iot disabled=no name=dp-iot vlan-id=30
/interface wifi security
add authentication-types=wpa3-psk comment=sec-home disabled=no ft=yes ft-over-ds=yes management-protection=required name=sec-home
add authentication-types=wpa3-psk comment=sec-guest disabled=no ft=yes ft-over-ds=yes management-protection=required name=sec-guest
add authentication-types=wpa2-psk comment=sec-iot disabled=no ft=yes ft-over-ds=yes name=sec-iot
/interface wifi configuration
add channel=ch-2g-06 comment=cfg-home-mid country=Sweden datapath=dp-home disabled=no name=cfg-home-mid security=sec-home ssid=HomeWiFi
add channel=ch-2g-11 comment=cfg-home-east country=Sweden datapath=dp-home disabled=no name=cfg-home-east security=sec-home ssid=HomeWiFi
add channel=ch-2g-11 comment=cfg-home-west country=Sweden datapath=dp-home disabled=no name=cfg-home-west security=sec-home ssid=HomeWiFi
add channel=ch-5g-36 channel.skip-dfs-channels=disabled .width=20/40/80mhz comment=cfg-home-east5 country=Sweden datapath=dp-home disabled=no name=cfg-home-east5 security=sec-home ssid=
HomeWiFi
add channel=ch-5g-52 channel.skip-dfs-channels=disabled .width=20/40/80mhz comment=cfg-home-mid5 country=Sweden datapath=dp-home disabled=no name=cfg-home-mid5 security=sec-home ssid=
HomeWiFi
add channel=ch-5g-100 channel.skip-dfs-channels=disabled .width=20/40/80mhz comment=cfg-home-west5 country=Sweden datapath=dp-home disabled=no name=cfg-home-west5 security=sec-home
ssid=HomeWiFi
add comment=cfg-guest-east country=Sweden datapath=dp-guest disabled=no name=cfg-guest-east security=sec-guest ssid=GuestWiFi
/ip pool
add name=dhcp ranges=192.168.1.2-192.168.1.254
add name=dhcp_pool1 ranges=192.168.99.2-192.168.99.254
add name=dhcp_pool2 ranges=192.168.10.2-192.168.10.254
add name=dhcp_pool3 ranges=192.168.20.2-192.168.20.254
add name=dhcp_pool4 ranges=192.168.30.2-192.168.30.254
/ip dhcp-server
add address-pool=dhcp interface=bridgeLocal lease-time=1d name=dhcp1
add address-pool=dhcp_pool1 interface=vlan99-mgmt name=dhcp2
add address-pool=dhcp_pool2 interface=vlan10-home name=dhcp3
add address-pool=dhcp_pool3 interface=vlan20-guest name=dhcp4
add address-pool=dhcp_pool4 interface=vlan30-iot name=dhcp5
/port
set 0 name=serial0
/interface bridge port
add bridge=bridgeLocal comment=defconf interface=ether1 internal-path-cost=10 path-cost=10
add bridge=bridgeLocal comment=defconf interface=ether2 internal-path-cost=10 path-cost=10
add bridge=bridgeLocal comment=defconf interface=ether3 internal-path-cost=10 path-cost=10
add bridge=bridgeLocal comment=defconf interface=ether4 internal-path-cost=10 path-cost=10
add bridge=bridgeLocal comment=defconf interface=ether5 internal-path-cost=10 path-cost=10
add bridge=bridgeLocal comment=defconf interface=ether6 internal-path-cost=10 path-cost=10
add bridge=bridgeLocal comment=defconf interface=ether7 internal-path-cost=10 path-cost=10
add bridge=bridgeLocal comment=defconf interface=ether8 internal-path-cost=10 path-cost=10
add bridge=bridgeLocal comment=defconf interface=ether9 internal-path-cost=10 path-cost=10
add bridge=bridgeLocal comment=defconf interface=ether10 internal-path-cost=10 path-cost=10
add bridge=bridgeLocal comment=defconf interface=ether11 internal-path-cost=10 path-cost=10
add bridge=bridgeLocal comment=defconf interface=ether12 internal-path-cost=10 path-cost=10
add bridge=bridgeLocal comment=defconf disabled=yes interface=ether13 internal-path-cost=10 path-cost=10
add bridge=bridgeLocal comment=defconf interface=sfp-sfpplus1 internal-path-cost=10 path-cost=10
add bridge=bridgeLocal comment=defconf interface=sfp-sfpplus2 internal-path-cost=10 path-cost=10
add bridge=bridgeLocal comment=defconf interface=sfp-sfpplus3 internal-path-cost=10 path-cost=10
add bridge=bridgeLocal comment=defconf interface=sfp-sfpplus4 internal-path-cost=10 path-cost=10
/ip firewall connection tracking
set udp-timeout=10s
/ipv6 settings
set disable-ipv6=yes
/interface bridge vlan
add bridge=bridgeLocal tagged=bridgeLocal,ether1,ether2,ether3,ether4,ether5,ether6,ether7,ether8,ether9,ether10,ether11,ether12,sfp-sfpplus1,sfp-sfpplus2,sfp-sfpplus3,sfp-sfpplus4
vlan-ids=99
add bridge=bridgeLocal tagged=bridgeLocal,sfp-sfpplus1 vlan-ids=10
add bridge=bridgeLocal tagged=bridgeLocal,sfp-sfpplus1 vlan-ids=20
add bridge=bridgeLocal tagged=bridgeLocal,sfp-sfpplus1 vlan-ids=30
/interface ethernet switch
set 0 l3-hw-offloading=yes
/interface list member
add interface=ether13 list=WAN
add interface=bridgeLocal list=LAN
add interface=vlan10-home list=LAN
add interface=vlan20-guest list=LAN
add interface=vlan99-mgmt list=LAN
add interface=vlan30-iot list=LAN
/interface ovpn-server server
add mac-address=FE:A9:AA:08:41:47 name=ovpn-server1
/interface wifi capsman
set ca-certificate=auto enabled=yes interfaces=bridgeLocal package-path="" require-peer-certificate=no upgrade-policy=suggest-same-version
/interface wifi provisioning
add action=create-dynamic-enabled comment="gamla techAP-AP 5ghz" disabled=no master-configuration=cfg-home-west5 radio-mac=18:FD:74:FE:D7:14 slave-configurations=cfg-guest-east
supported-bands=5ghz-ax
add action=create-dynamic-enabled comment="gamla techAP 2ghz" disabled=no master-configuration=cfg-home-west radio-mac=18:FD:74:FE:D7:15 slave-configurations=cfg-guest-east
supported-bands=2ghz-ax
add action=create-dynamic-enabled comment="gamla vardagsrumAP 5ghz" disabled=no master-configuration=cfg-home-east5 radio-mac=18:FD:74:FE:E4:5C slave-configurations=cfg-guest-east
supported-bands=5ghz-ax
/ip address
add address=192.168.1.1/24 interface=bridgeLocal network=192.168.1.0
add address=192.168.99.1/24 interface=vlan99-mgmt network=192.168.99.0
add address=192.168.10.1/24 interface=vlan10-home network=192.168.10.0
add address=192.168.20.1/24 interface=vlan20-guest network=192.168.20.0
add address=192.168.30.1/24 interface=vlan30-iot network=192.168.30.0
/ip cloud
set update-time=no
/ip dhcp-client
add interface=ether13 use-peer-dns=no use-peer-ntp=no
/ip dhcp-server lease
add address=192.168.1.117 client-id=1:18:fd:74:d2:2f:b9 mac-address=18:FD:74:D2:2F:B9 server=dhcp1
add address=192.168.1.207 client-id=ff:f:22:56:18:0:3:0:1:0:26:f:22:56:18 mac-address=00:26:0F:22:56:18 server=dhcp1
add address=192.168.1.106 client-id=1:a8:51:ab:8b:69:76 mac-address=A8:51:AB:8B:69:76 server=dhcp1
add address=192.168.1.133 client-id=1:18:fd:74:9c:a8:48 mac-address=18:FD:74:9C:A8:48 server=dhcp1
add address=192.168.1.238 client-id=1:10:7b:44:19:62:1b mac-address=10:7B:44:19:62:1B server=dhcp1
add address=192.168.1.62 client-id=1:6c:b:84:a3:bf:b2 mac-address=6C:0B:84:A3:BF:B2 server=dhcp1
add address=192.168.1.60 client-id=1:18:fd:74:fe:b8:6a mac-address=18:FD:74:FE:B8:6A server=dhcp1
add address=192.168.1.59 client-id=1:18:fd:74:fe:e4:57 mac-address=18:FD:74:FE:E4:57 server=dhcp1
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=192.168.1.1 gateway=192.168.1.1
add address=192.168.10.0/24 dns-server=192.168.10.1 gateway=192.168.10.1
add address=192.168.20.0/24 dns-server=192.168.20.1 gateway=192.168.20.1
add address=192.168.30.0/24 dns-server=192.168.30.1 gateway=192.168.30.1
add address=192.168.99.0/24 dns-server=192.168.99.1 gateway=192.168.99.1
/ip dns
set allow-remote-requests=yes use-doh-server=``https://1.1.1.1/dns-query`` verify-doh-cert=yes
/ip dns static
add address=1.1.1.1 name=1.1.1.1 type=A
add address=1.0.0.1 name=1.0.0.1 type=A
/ip firewall filter
add action=accept chain=input comment="Accept Established/Related" connection-state=established,related,untracked
add action=drop chain=input comment="Drop Invalid" connection-state=invalid
add action=accept chain=input comment="Allow ICMP" protocol=icmp
add action=accept chain=input comment="Allow LAN Management" in-interface-list=LAN
add action=accept chain=input comment="Allow CAPSman" dst-port=5246,5247 protocol=udp
add action=drop chain=input comment="Drop All Other Input"
add action=fasttrack-connection chain=forward comment=FastTrack connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="Accept Established/Related" connection-state=established,related,untracked
add action=drop chain=forward comment="Drop Invalid" connection-state=invalid
add action=drop chain=forward comment="vlan: block guest to home" dst-address=192.168.10.0/24 src-address=192.168.20.0/24
add action=drop chain=forward comment="vlan block iot to home" dst-address=192.168.10.0/24 src-address=192.168.30.0/24
add action=drop chain=forward comment="Drop WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip service
set ftp disabled=yes
set ssh disabled=yes
set telnet disabled=yes
set www disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/Stockholm
/system identity
set name="main router"
/system ntp client
set enabled=yes
/system ntp server
set enabled=yes
/system ntp client servers
add address=0.se.pool.ntp.org
add address=1.se.pool.ntp.org
add address=2.se.pool.ntp.org
add address=3.se.pool.ntp.org
/system routerboard settings
set enter-setup-on=delete-key
/tool bandwidth-server
set enabled=no
/tool romon
set enabled=yes

The switch:

# 2025-12-29 21:38:57 by RouterOS 7.20.6

# model = CRS326-24G-2S+
/interface bridge
add admin-mac=18:FD:74:9C:A8:48 auto-mac=no comment=defconf name=bridge port-cost-mode=short priority=0x4000
/interface ethernet
set [ find default-name=ether16 ] comment="to AP vardagsrum"
set [ find default-name=ether20 ] comment="to Apple TV"
set [ find default-name=sfp-sfpplus1 ] comment="To router"
set [ find default-name=sfp-sfpplus2 ] comment="To media player"
/interface vlan
add comment=vlan99-mgmt interface=bridge name=vlan99-mgmt vlan-id=99
/interface list
add name=WAN
add name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether1 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether6 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether7 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether8 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether9 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether10 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether11 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether12 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether13 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether14 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether15 internal-path-cost=10 path-cost=10
add bridge=bridge comment="defconf & AP" interface=ether16 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether17 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether18 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether19 internal-path-cost=10 path-cost=10
add bridge=bridge comment="defconf & ATV" frame-types=admit-only-untagged-and-priority-tagged interface=ether20 internal-path-cost=10 path-cost=10 pvid=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether21 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether22 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether23 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether24 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf&router frame-types=admit-only-vlan-tagged interface=sfp-sfpplus1 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf&linn frame-types=admit-only-untagged-and-priority-tagged interface=sfp-sfpplus2 internal-path-cost=10 path-cost=10 pvid=10
/ip firewall connection tracking
set udp-timeout=10s
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes
/interface bridge vlan
add bridge=bridge tagged=bridge,sfp-sfpplus1 vlan-ids=99
add bridge=bridge tagged=sfp-sfpplus1,ether16 vlan-ids=10
add bridge=bridge tagged=sfp-sfpplus1,ether16 vlan-ids=20
add bridge=bridge tagged=sfp-sfpplus1,ether16 vlan-ids=30
/interface list member
add interface=ether1 list=WAN
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=ether6 list=LAN
add interface=ether7 list=LAN
add interface=ether8 list=LAN
add interface=ether9 list=LAN
add interface=ether10 list=LAN
add interface=ether11 list=LAN
add interface=ether12 list=LAN
add interface=ether13 list=LAN
add interface=ether14 list=LAN
add interface=ether15 list=LAN
add interface=ether16 list=LAN
add interface=ether17 list=LAN
add interface=ether18 list=LAN
add interface=ether19 list=LAN
add interface=ether20 list=LAN
add interface=ether21 list=LAN
add interface=ether22 list=LAN
add interface=ether23 list=LAN
add interface=ether24 list=LAN
add interface=sfp-sfpplus1 list=LAN
add interface=sfp-sfpplus2 list=LAN
/interface ovpn-server server
add auth=sha1,md5 mac-address=FE:2E:87:C2:16:78 name=ovpn-server1
/ip address
add address=192.168.99.2/24 comment="s\C3\A5 att switchen f\C3\A5r en IP p\C3\A5 vlan99" interface=vlan99-mgmt network=192.168.99.0
/ip cloud
set update-time=no
/ip dhcp-client
add interface=bridge
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/routing bfd configuration
add disabled=no interfaces=all min-rx=200ms min-tx=200ms multiplier=5
/system clock
set time-zone-name=Europe/Stockholm
/system identity
set name=vrumswitch
/system ntp client
set enabled=yes
/system ntp client servers
add address=192.168.1.1
/system swos
set allow-from-ports=p1,p2,p3,p4,p5,p6,p7,p8,p9,p10,p11,p12,p13,p14,p15,p16,p17,p18,p19,p20,p21,p22,p23,p24,p25,p26,p27,p28,p29,p30,p31 static-ip-address=192.168.1.200
/tool romon
set enabled=yes

You can use [code]...[/code] if you want to write

```routeros
```

Is this the first time you have configured vlans with any vendor's equipment?

Anything you can do with vlans you can also do with only standard LANs; it will just require more switches, wires and ethernet ports. So if you can design a network with multiple LANs, then you can do it using vlans, but with less equipment. vlans are primarily a way to share hardware resources, while emulating separate LANs. It is very similar in concept to virtual machines, where a single server can emulate multiple separate servers.

Your diagram shows the Apple TV with two vlans attached, vlan10 and vlan20. Is the Apple TV vlan aware? i.e. can it understand vlan tags?

@Buckeye You ask a good question!
It’s the second time I’m doing vlans. The first time was on several Cisco switches+router, and Ruckus APs… In several aspects, it was like hitting a head to a wall. We sold it all and went 100% MT.

The Apple TV is not vlan aware. The ATV can get a configuration to be accessed from two vlans in complicated ways by configuring the firewall etc. I don’t need to add that complexity. I want to keep things simple. I have uploaded a new network diagram in my latest thread post. I have a vlan aware Supermicro server running multiple VM’s, but I’ll add that one in a couple of months… I like your analogy how VM’s are similar to vlans. Thanks!

Updated network diagram. I have not done any changes to the configuration yet.

Screenshot 2026-01-03 at 19.01.522492×1682 459 KB