[hAP ax2] 4 VLANs am I doing something wrong?

Hello guys,

I hope y’all are well and that this is not against any rule. If so I’ll remove this post.

I am completely new to MikroTik (~2 weeks old) with (very) limited networking experience.
I bought a MikroTik hAP ax2 to have a better ownership of my home network, and support a company providing the kind of hardware/software support MikroTik does.

I wanted to:

• Enable VLAN filtering, having 4 VLANs (for main, homelab, IoT, guests)
• Have 4 access points, one per VLAN
• Have custom firewall rules across VLANs

image785×529 48.2 KB

I know (think?) my setup is pretty standard, but I couldn’t find anyone doing it as I do. I went through the forum, countless youtube videos, other people’s configurations and the documentation (e.g. Using RouterOS to VLAN your network ). I managed (after getting locked out way to many times) to setup my config as I wanted to, and it seems to work as I intend it to.

However, I know that I cannot judge whether I accidentally made a dumb mistake and let my router with an open hole allowing external access, especially since I tweaked the firewall rules.

I am running RouterOS 7.21 (stable).
Below is my config

# 2026-01-30 12:47:33 by RouterOS 7.21
# software id = 5QYW-B1W7
#
# model = C52iG-5HaxD2HaxD
# serial number = mod removed
/interface bridge
add admin-mac=04:F4:1C:9A:A6:87 auto-mac=no comment=defconf name=bridge \
    vlan-filtering=yes
/interface vlan
add interface=bridge name=vlan10-main vlan-id=10
add interface=bridge name=vlan20-homelab vlan-id=20
add interface=bridge name=vlan30-iot vlan-id=30
add interface=bridge name=vlan40-guest vlan-id=40
/interface list
add comment=defconf name=WAN
add comment="all VLANs" name=VLAN
add include=VLAN name=LAN
/interface wifi configuration
add name=cfg-main security.authentication-types=wpa2-psk,wpa3-psk .wps=\
    disable ssid=ansuz-main
add name=cfg-iot security.authentication-types=wpa2-psk,wpa3-psk .wps=disable \
    ssid=ansuz-iot
add name=cfg-guest security.authentication-types=wpa2-psk,wpa3-psk .wps=\
    disable ssid=ansuz-guest
add name=cfg-homelab security.authentication-types=wpa2-psk,wpa3-psk .wps=\
    disable ssid=ansuz-homelab
/interface wifi
set [ find default-name=wifi1 ] channel.band=5ghz-ax .skip-dfs-channels=\
    10min-cac .width=20/40/80mhz configuration=cfg-main configuration.mode=ap \
    disabled=no security.authentication-types=wpa2-psk,wpa3-psk .ft=yes \
    .ft-over-ds=yes
add configuration=cfg-guest disabled=no mac-address=06:F4:1C:9A:A6:8D \
    master-interface=wifi1 name=wifi1-guest
add configuration=cfg-homelab disabled=no mac-address=06:F4:1C:9A:A6:8F \
    master-interface=wifi1 name=wifi1-homelab
add configuration=cfg-iot disabled=no mac-address=06:F4:1C:9A:A6:8B \
    master-interface=wifi1 name=wifi1-iot
set [ find default-name=wifi2 ] channel.band=2ghz-ax .skip-dfs-channels=\
    10min-cac .width=20mhz configuration=cfg-main configuration.mode=ap \
    disabled=no security.authentication-types=wpa2-psk,wpa3-psk .ft=yes \
    .ft-over-ds=yes
add configuration=cfg-guest disabled=no mac-address=06:F4:1C:9A:A6:8E \
    master-interface=wifi2 name=wifi2-guest
add configuration=cfg-homelab disabled=no mac-address=06:F4:1C:9A:A6:90 \
    master-interface=wifi2 name=wifi2-homelab
add configuration=cfg-iot disabled=no mac-address=06:F4:1C:9A:A6:8C \
    master-interface=wifi2 name=wifi2-iot
/ip pool
add name=pool-main ranges=192.168.10.10-192.168.10.254
add name=pool-iot ranges=192.168.30.10-192.168.30.254
add name=pool-guest ranges=192.168.40.10-192.168.40.254
add name=pool-homelab ranges=192.168.20.10-192.168.20.254
/ip dhcp-server
add address-pool=pool-main interface=vlan10-main name=dhcp-main
add address-pool=pool-iot interface=vlan30-iot name=dhcp-iot
add address-pool=pool-guest interface=vlan40-guest name=dhcp-guest
add address-pool=pool-homelab interface=vlan20-homelab name=dhcp-homelab
/disk settings
set auto-media-interface=bridge auto-media-sharing=yes auto-smb-sharing=yes
/interface bridge port
add bridge=bridge comment=defconf interface=ether2 pvid=10
add bridge=bridge comment=defconf interface=ether3 pvid=10
add bridge=bridge comment=defconf interface=ether4 pvid=10
add bridge=bridge comment=defconf interface=ether5 pvid=10
add bridge=bridge comment=defconf interface=wifi1 pvid=10
add bridge=bridge comment=defconf interface=wifi2 pvid=10
add bridge=bridge interface=wifi1-iot pvid=30
add bridge=bridge interface=wifi2-iot pvid=30
add bridge=bridge interface=wifi1-guest pvid=40
add bridge=bridge interface=wifi2-guest pvid=40
add bridge=bridge interface=wifi1-homelab pvid=20
add bridge=bridge interface=wifi2-homelab pvid=20
/ip neighbor discovery-settings
set discover-interface-list=none
/interface bridge vlan
add bridge=bridge tagged=bridge untagged=\
    ether2,ether3,ether4,ether5,wifi1,wifi2 vlan-ids=10
add bridge=bridge tagged=bridge untagged=wifi1-iot,wifi2-iot vlan-ids=30
add bridge=bridge tagged=bridge untagged=wifi1-guest,wifi2-guest vlan-ids=40
add bridge=bridge tagged=bridge untagged=wifi1-homelab,wifi2-homelab \
    vlan-ids=20
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=vlan10-main list=VLAN
add interface=vlan30-iot list=VLAN
add interface=vlan40-guest list=VLAN
add interface=vlan20-homelab list=VLAN
/ip address
add address=192.168.10.1/24 interface=vlan10-main network=192.168.10.0
add address=192.168.30.1/24 interface=vlan30-iot network=192.168.30.0
add address=192.168.40.1/24 interface=vlan40-guest network=192.168.40.0
add address=192.168.20.1/24 interface=vlan20-homelab network=192.168.20.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.10.0/24 dns-server=192.168.10.1 gateway=192.168.10.1
add address=192.168.20.0/24 dns-server=192.168.20.1 gateway=192.168.20.1
add address=192.168.30.0/24 dns-server=192.168.30.1 gateway=192.168.30.1
add address=192.168.40.0/24 dns-server=192.168.40.1 gateway=192.168.40.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan type=A
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="main to router: ACCEPT" in-interface=\
    vlan10-main
add action=accept chain=input comment="VLAN to router (DHCP): ACCEPT" \
    dst-port=67 in-interface-list=VLAN protocol=udp
add action=accept chain=input comment="VLAN to router (DNS via UDP): ACCEPT" \
    dst-port=53 in-interface-list=VLAN protocol=udp
add action=accept chain=input comment="VLAN to router (DNS via TCP): ACCEPT" \
    dst-port=53 in-interface-list=VLAN protocol=tcp
add action=drop chain=input comment="VLAN to router: DROP"
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=forward comment="main to any: ACCEPT" in-interface=\
    vlan10-main
add action=accept chain=forward comment="VLAN to WAN: ACCEPT" \
    in-interface-list=VLAN out-interface-list=WAN
add action=drop chain=forward comment="VLAN to any: DROP" in-interface-list=\
    VLAN
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip ssh
set strong-crypto=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" \
    dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack6" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=Europe/Zurich
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=none
/tool mac-server ping
set enabled=no

Would anyone be kind enough to help an afraid noob ?
I am mainly concerned about having a huge hole in my firewall.

Thank you very much

I would expect 4 VLAN's...on the other hand this helps to makes things easier.

Can you change this part:

/interface bridge port
add bridge=bridge comment=defconf interface=ether2 pvid=10
add bridge=bridge comment=defconf interface=ether3 pvid=10
add bridge=bridge comment=defconf interface=ether4 pvid=10
add bridge=bridge comment=defconf interface=ether5 pvid=10
add bridge=bridge comment=defconf interface=wifi1 pvid=10
add bridge=bridge comment=defconf interface=wifi2 pvid=10
add bridge=bridge interface=wifi1-iot pvid=30
add bridge=bridge interface=wifi2-iot pvid=30

to:

/interface bridge port
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged comment=defconf interface=ether2 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged comment=defconf interface=ether3 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged comment=defconf interface=ether4 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged comment=defconf interface=ether5 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged comment=defconf interface=wifi1 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged comment=defconf interface=wifi2 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=wifi1-iot pvid=30
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=wifi2-iot pvid=30

Though making things explicit clears things...you can remove the untagged interfaces. Because that is already set on the /interface bridge port:

/interface bridge vlan
add bridge=bridge tagged=bridge untagged=
ether2,ether3,ether4,ether5,wifi1,wifi2 vlan-ids=10
add bridge=bridge tagged=bridge untagged=wifi1-iot,wifi2-iot vlan-ids=30

As you don't use the bridge (VLAN only), you can remove the addressing of the bridge to LAN:

/interface list member
add comment=defconf interface=bridge list=LAN

I haven't checked the firewall, I would advise you to end both chains with a drop.

And, as @anav always advises...leave an interface from the bridge so you are still able to connect to your router when you screw things up.

Thank you for the quick answer and its completedness.

You're absolutely right; I uploaded a work-in-progress config. I apologize and I updated my origin post's .rsc file.

From your comment I

• Updated all ports to have frame-types=admit-only-untagged-and-priority-tagged
• Removed all untagged interfaces, since PVID handles that (I didn't know that, thank you)
• Remove the addressing of the bridge to LAN
• Add drop all rules at the end of both chains; which simplifies my firewall rules; thank you!

Below is the updated config FYI

# 2026-01-30 13:03:46 by RouterOS 7.21
# software id = 5QYW-B1W7
#
# model = C52iG-5HaxD2HaxD
# serial number = mod removed - again
/interface bridge
add admin-mac=04:F4:1C:9A:A6:87 auto-mac=no comment=defconf name=bridge \
    vlan-filtering=yes
/interface vlan
add interface=bridge name=vlan10-main vlan-id=10
add interface=bridge name=vlan20-homelab vlan-id=20
add interface=bridge name=vlan30-iot vlan-id=30
add interface=bridge name=vlan40-guest vlan-id=40
/interface list
add comment=defconf name=WAN
add comment="all VLANs" name=VLAN
add include=VLAN name=LAN
/interface wifi configuration
add name=cfg-main security.authentication-types=wpa2-psk,wpa3-psk .wps=\
    disable ssid=ansuz-main
add name=cfg-iot security.authentication-types=wpa2-psk,wpa3-psk .wps=disable \
    ssid=ansuz-iot
add name=cfg-guest security.authentication-types=wpa2-psk,wpa3-psk .wps=\
    disable ssid=ansuz-guest
add name=cfg-homelab security.authentication-types=wpa2-psk,wpa3-psk .wps=\
    disable ssid=ansuz-homelab
/interface wifi
set [ find default-name=wifi1 ] channel.band=5ghz-ax .skip-dfs-channels=\
    10min-cac .width=20/40/80mhz configuration=cfg-main configuration.mode=ap \
    disabled=no security.authentication-types=wpa2-psk,wpa3-psk .ft=yes \
    .ft-over-ds=yes
add configuration=cfg-guest disabled=no mac-address=06:F4:1C:9A:A6:8D \
    master-interface=wifi1 name=wifi1-guest
add configuration=cfg-homelab disabled=no mac-address=06:F4:1C:9A:A6:8F \
    master-interface=wifi1 name=wifi1-homelab
add configuration=cfg-iot disabled=no mac-address=06:F4:1C:9A:A6:8B \
    master-interface=wifi1 name=wifi1-iot
set [ find default-name=wifi2 ] channel.band=2ghz-ax .skip-dfs-channels=\
    10min-cac .width=20mhz configuration=cfg-main configuration.mode=ap \
    disabled=no security.authentication-types=wpa2-psk,wpa3-psk .ft=yes \
    .ft-over-ds=yes
add configuration=cfg-guest disabled=no mac-address=06:F4:1C:9A:A6:8E \
    master-interface=wifi2 name=wifi2-guest
add configuration=cfg-homelab disabled=no mac-address=06:F4:1C:9A:A6:90 \
    master-interface=wifi2 name=wifi2-homelab
add configuration=cfg-iot disabled=no mac-address=06:F4:1C:9A:A6:8C \
    master-interface=wifi2 name=wifi2-iot
/ip pool
add name=pool-main ranges=192.168.10.10-192.168.10.254
add name=pool-iot ranges=192.168.30.10-192.168.30.254
add name=pool-guest ranges=192.168.40.10-192.168.40.254
add name=pool-homelab ranges=192.168.20.10-192.168.20.254
/ip dhcp-server
add address-pool=pool-main interface=vlan10-main name=dhcp-main
add address-pool=pool-iot interface=vlan30-iot name=dhcp-iot
add address-pool=pool-guest interface=vlan40-guest name=dhcp-guest
add address-pool=pool-homelab interface=vlan20-homelab name=dhcp-homelab
/disk settings
set auto-media-interface=bridge auto-media-sharing=yes auto-smb-sharing=yes
/interface bridge port
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether2 pvid=10
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether3 pvid=10
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether4 pvid=10
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether5 pvid=10
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=wifi1 pvid=10
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=wifi2 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=wifi1-iot pvid=30
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=wifi2-iot pvid=30
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=wifi1-guest pvid=40
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=wifi2-guest pvid=40
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=wifi1-homelab pvid=20
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=wifi2-homelab pvid=20
/ip neighbor discovery-settings
set discover-interface-list=none
/interface list member
add comment=defconf interface=ether1 list=WAN
add interface=vlan10-main list=VLAN
add interface=vlan30-iot list=VLAN
add interface=vlan40-guest list=VLAN
add interface=vlan20-homelab list=VLAN
/ip address
add address=192.168.10.1/24 interface=vlan10-main network=192.168.10.0
add address=192.168.30.1/24 interface=vlan30-iot network=192.168.30.0
add address=192.168.40.1/24 interface=vlan40-guest network=192.168.40.0
add address=192.168.20.1/24 interface=vlan20-homelab network=192.168.20.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.10.0/24 dns-server=192.168.10.1 gateway=192.168.10.1
add address=192.168.20.0/24 dns-server=192.168.20.1 gateway=192.168.20.1
add address=192.168.30.0/24 dns-server=192.168.30.1 gateway=192.168.30.1
add address=192.168.40.0/24 dns-server=192.168.40.1 gateway=192.168.40.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan type=A
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="main to router: ACCEPT" in-interface=\
    vlan10-main
add action=accept chain=input comment="VLAN to router (DHCP): ACCEPT" \
    dst-port=67 in-interface-list=VLAN protocol=udp
add action=accept chain=input comment="VLAN to router (DNS via UDP): ACCEPT" \
    dst-port=53 in-interface-list=VLAN protocol=udp
add action=accept chain=input comment="VLAN to router (DNS via TCP): ACCEPT" \
    dst-port=53 in-interface-list=VLAN protocol=tcp
add action=drop chain=input comment="any to router: DROP"
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=forward comment="main to any: ACCEPT" in-interface=\
    vlan10-main
add action=accept chain=forward comment="VLAN to WAN: ACCEPT" \
    in-interface-list=VLAN out-interface-list=WAN
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    in-interface-list=WAN
add action=drop chain=forward comment="any to any: DROP"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip ssh
set strong-crypto=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" \
    dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack6" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=Europe/Zurich
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=none
/tool mac-server ping
set enabled=no

Thank you again for your inputs and sorry for messing up the first .rsc

Recommendations.......

1. Make your interface lists clearer and purpose focused and supporting better security and concurrence with default firewall rules.

/interface list
add comment=defconf name=WAN
add comment="all VLANs" name=LAN
add comment="trusted"  name=BASE
/interface list member
add comment=defconf interface=ether1 list=WAN
add interface=vlan10-main list=LAN
add interface=vlan30-iot list=LAN
add interface=vlan40-guest list=LAN
add interface=vlan20-homelab list=LAN
add interface=vlan10-main list=BASE

2. Remove this default no longer needed default static DNS rule.
   /ip dns static
   add address=192.168.88.1 comment=defconf name=router.lan type=A

3. MISSING, the /interface bridge vlan settings ???

```/interface bridge vlan
add bridge=bridge tagged=bridge untagged=ether2,ether3,ether4,ether5,\
  wifi1,wifi2 vlan-ids=10
add bridge=bridge tagged=bridge untagged=wifi1-homelab,wifi2-homelab \
   vlan-ids=20
add bridge=bridge tagged=bridge untagged=wifi1-iot,wifi2-iot vlan-ids=30
add bridge=bridge tagged=bridge untagged=wifi1-guest,wifi1-guest \
   vlan-ids=40
```

2. Modify firewall rules:
   ```
   /ip firewall address-list { static dhcp leases set }
   add address=192.168.10.X list=TRUSTED comment=”admin pc”
   add address=192.168.10.Y list=TRUSTED comment=”admin smartphone”
   add address=192.168.10.Z list=TRUSTED comment=”admin tablet/ipad”
   /ip firewall filter
   add action=accept chain=input connection-state=established,related,untracked
   add action=drop chain=input connection-state=invalid
   add action=accept chain=input protocol=icmp
   add action=accept chain=input dst-address=127.0.0.1
   add action=accept chain=input comment="admin access” in-interface-list=BASE \
   src-address-list=TRUSTED
   add action=accept chain=input comment=”users to services” in-interface-list=LAN \
   dst-port=53,123 protocol=udp
   add action=accept chain=input comment=”users to services” in-interface-list=LAN \
   dst-port=53 protocol=tcp
   add action=drop chain=input comment="drop all else”
   +++++++++++++++++++++++++++++++++++++++
   add action=fasttrack-connection chain=forward connection-state=established,related
   add action=accept chain=forward connection-state=established,related,untracked
   add action=drop chain=forward connection-state=invalid
   add action=accept chain=forward comment="internet traffic” in-interface-list=LAN \
   out-interface-list=WAN
   add action=accept chain=forward comment=”admin to vlans” in-interface-list=BASE \
   src-address-list=TRUSTED out-interface-list=LAN
   add action=drop chain=forward comment="drop all else”
   ```

3. Modify TO:
   ```
   /ip neighbor discovery-settings
set discover-interface-list=BASE
   ```

4. Modify TO:
   ```/tool mac-server mac-winbox
set allowed-interface-list=BASE
```

5. I might consider reducing my wifi WLANs if not necessary, for example, guests, do you need to provide both 2ghz and 5ghz??? IOT maybe only need 2.4ghz??

6. As stated by erlinden, to use an emergency access if the bridge burps you out, and also for safe configuration while making bridge changes, use an off bridge port, if you have a spare port of course. If you choose to do so, lets use ether5 as an example………….. Following are changes to the above….. REMOVE ether5 from bridge ( and then remove from bridge port and bridge vlan settings)
   ```
   /interface ethernet
   set [ find default-name=ether5 ] name=OffBridge5
   /interface list members
   …..
   add interface=OffBridge5 list=LAN
   add interface=OffBridge5 list=BASE
   /ip address
   …..
   add address=192.168.55.1/30 gateway=OffBridge5 network=192.168.55.0
   /ip firewall address-list { static dhcp leases set }
   …
   add address=192.168.55.2 list=TRUSTED comment=”Off bridge access”
   ```

Now plug in your computer into ether5, and change IPV4 settings to 192.168.55.2
One should be able to access the router config with username and password.

Hello @anav
Thank you for taking the time to answer

From your comment, I

• Removed the no-longer-needed default DNS rule
• Reduced my APs to have 2.4GHz-only IoT and guest network
• Created a MGMT interace list -- containing vlan10-main and the newly-segregated ether5 -- for cleaner rules
• Modified my firewall to
  • Rely on MGMT interface list instead of directly the vlan10-main interface
  • Renamed VLAN inteface list into LAN for clearer naming -- since it contains all VLANs anyways
  • Allow LAN to access the NTP service
  • Change the MGMT -> LAN forward access rule, to be intentional (instead of relying on MGMT -> any)
• Set /tool/mac-server/mac-winbox and ip/neighbor/discovery-settings to allow MGMT
• Use an off-bridge port (ether5) --> Thank you for that tip

2. MISSING, the /interface bridge vlan settings ???

Isn't that handled by routerOS, since I set each bridge interface's PVID ?

/interface/bridge/port> p   
Flags: I - INACTIVE
Columns: INTERFACE, BRIDGE, HW, HORIZON, TRUSTED, FAST-LEAVE, BPDU-GUARD, EDGE, POINT-TO-POINT, PVID, FRAME-TYPES
#   INTERFACE      BRIDGE  HW   HORIZON  TRUSTED  FAST-LEAVE  BPDU-GUARD  EDGE  POINT-TO-POINT  PVID  FRAME-TYPES                            
;;; defconf
0   ether2         bridge  yes  none     no       no          no          auto  auto              10  admit-only-untagged-and-priority-tagged
;;; defconf
1 I ether3         bridge  yes  none     no       no          no          auto  auto              10  admit-only-untagged-and-priority-tagged
;;; defconf
2 I ether4         bridge  yes  none     no       no          no          auto  auto              10  admit-only-untagged-and-priority-tagged
;;; defconf
3 I wifi1          bridge       none     no       no          no          auto  auto              10  admit-only-untagged-and-priority-tagged
;;; defconf
4 I wifi2          bridge       none     no       no          no          auto  auto              10  admit-only-untagged-and-priority-tagged
5 I wifi1-homelab  bridge       none     no       no          no          auto  auto              20  admit-only-untagged-and-priority-tagged
6 I wifi2-homelab  bridge       none     no       no          no          auto  auto              20  admit-only-untagged-and-priority-tagged
7   wifi2-iot      bridge       none     no       no          no          auto  auto              30  admit-only-untagged-and-priority-tagged
8 I wifi2-guest    bridge       none     no       no          no          auto  auto              40  admit-only-untagged-and-priority-tagged

Thanks a lot for all these tips !!

FYI below is my now-updated config

# 2026-02-01 11:39:48 by RouterOS 7.21
# software id = 5QYW-B1W7
#
# model = C52iG-5HaxD2HaxD
# serial number = mod removed - and yet again
/interface bridge
add admin-mac=04:F4:1C:9A:A6:87 auto-mac=no comment=defconf name=bridge \
    vlan-filtering=yes
/interface ethernet
set [ find default-name=ether5 ] name=ether5-mgmt
/interface vlan
add interface=bridge name=vlan10-main vlan-id=10
add interface=bridge name=vlan20-homelab vlan-id=20
add interface=bridge name=vlan30-iot vlan-id=30
add interface=bridge name=vlan40-guest vlan-id=40
/interface list
add comment=defconf name=WAN
add comment="all VLANs" name=LAN
add name=MGMT
/interface wifi configuration
add name=cfg-main security.authentication-types=wpa2-psk,wpa3-psk .wps=\
    disable ssid=ansuz-main
add name=cfg-iot security.authentication-types=wpa2-psk,wpa3-psk .wps=disable \
    ssid=ansuz-iot
add name=cfg-guest security.authentication-types=wpa2-psk,wpa3-psk .wps=\
    disable ssid=ansuz-guest
add name=cfg-homelab security.authentication-types=wpa2-psk,wpa3-psk .wps=\
    disable ssid=ansuz-homelab
/interface wifi
set [ find default-name=wifi1 ] channel.band=5ghz-ax .skip-dfs-channels=\
    10min-cac .width=20/40/80mhz configuration=cfg-main configuration.mode=ap \
    disabled=no security.authentication-types=wpa2-psk,wpa3-psk .ft=yes \
    .ft-over-ds=yes
add configuration=cfg-homelab disabled=no mac-address=06:F4:1C:9A:A6:8F \
    master-interface=wifi1 name=wifi1-homelab
set [ find default-name=wifi2 ] channel.band=2ghz-ax .skip-dfs-channels=\
    10min-cac .width=20mhz configuration=cfg-main configuration.mode=ap \
    disabled=no security.authentication-types=wpa2-psk,wpa3-psk .ft=yes \
    .ft-over-ds=yes
add configuration=cfg-guest disabled=no mac-address=06:F4:1C:9A:A6:8E \
    master-interface=wifi2 name=wifi2-guest
add configuration=cfg-homelab disabled=no mac-address=06:F4:1C:9A:A6:90 \
    master-interface=wifi2 name=wifi2-homelab
add configuration=cfg-iot disabled=no mac-address=06:F4:1C:9A:A6:8C \
    master-interface=wifi2 name=wifi2-iot
/ip pool
add name=pool-main ranges=192.168.10.10-192.168.10.254
add name=pool-iot ranges=192.168.30.10-192.168.30.254
add name=pool-guest ranges=192.168.40.10-192.168.40.254
add name=pool-homelab ranges=192.168.20.10-192.168.20.254
add name=pool-ether5-mgmt ranges=192.168.55.2
/ip dhcp-server
add address-pool=pool-main interface=vlan10-main name=dhcp-main
add address-pool=pool-iot interface=vlan30-iot name=dhcp-iot
add address-pool=pool-guest interface=vlan40-guest name=dhcp-guest
add address-pool=pool-homelab interface=vlan20-homelab name=dhcp-homelab
add address-pool=pool-ether5-mgmt interface=ether5-mgmt name=dhcp-ether5-mgmt
/disk settings
set auto-media-interface=bridge auto-media-sharing=yes auto-smb-sharing=yes
/interface bridge port
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether2 pvid=10
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether3 pvid=10
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether4 pvid=10
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=wifi1 pvid=10
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=wifi2 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=wifi1-homelab pvid=20
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=wifi2-homelab pvid=20
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=wifi2-iot pvid=30
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=wifi2-guest pvid=40
/ip neighbor discovery-settings
set discover-interface-list=MGMT
/interface list member
add comment=defconf interface=ether1 list=WAN
add interface=vlan10-main list=LAN
add interface=vlan30-iot list=LAN
add interface=vlan40-guest list=LAN
add interface=vlan20-homelab list=LAN
add interface=vlan10-main list=MGMT
add interface=ether5-mgmt list=LAN
add interface=ether5-mgmt list=MGMT
/ip address
add address=192.168.10.1/24 interface=vlan10-main network=192.168.10.0
add address=192.168.30.1/24 interface=vlan30-iot network=192.168.30.0
add address=192.168.40.1/24 interface=vlan40-guest network=192.168.40.0
add address=192.168.20.1/24 interface=vlan20-homelab network=192.168.20.0
add address=192.168.55.1/30 interface=ether5-mgmt network=192.168.55.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.10.0/24 dns-server=192.168.10.1 gateway=192.168.10.1
add address=192.168.20.0/24 dns-server=192.168.20.1 gateway=192.168.20.1
add address=192.168.30.0/24 dns-server=192.168.30.1 gateway=192.168.30.1
add address=192.168.40.0/24 dns-server=192.168.40.1 gateway=192.168.40.1
add address=192.168.55.0/30 dns-server=192.168.55.1 gateway=192.168.55.1
/ip dns
set allow-remote-requests=yes
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="MGMT to router: ACCEPT" \
    in-interface-list=MGMT
add action=accept chain=input comment=\
    "LAN to router (DNS, DHCP, NTP): ACCEPT" dst-port=53,67,123 \
    in-interface-list=LAN protocol=udp
add action=accept chain=input comment="LAN to router (DNS via TCP): ACCEPT" \
    dst-port=53 in-interface-list=LAN protocol=tcp
add action=drop chain=input comment="any to router: DROP"
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=forward comment="MGMT to LAN: ACCEPT" \
    in-interface-list=MGMT out-interface-list=LAN
add action=accept chain=forward comment="LAN to WAN: ACCEPT" \
    in-interface-list=LAN out-interface-list=WAN
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    in-interface-list=WAN
add action=drop chain=forward comment="any to any: DROP"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip ssh
set strong-crypto=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" \
    dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !*2000012
add action=fasttrack-connection chain=forward comment="defconf: fasttrack6" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !*2000012
/system clock
set time-zone-name=Europe/Zurich
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=MGMT
/tool mac-server ping
set enabled=no

The management port, only requires the address, there is no need for pool, dhcp or dhcp-server settings. They can be removed.

If not using IPV6, then one can disable IPV6, and remove all the associated firewall address lists and firewall rules. I only keep two
forward drop all
Input drop all.

@ OP

Please remove device serial number from export before posting !
(surprises me a bit none of the others have mentioned this, they usually do)

I've cleaned up all three occurences above.

Thank you @holvoetn for censoring the serial number; I'll make sure to remove it in future posts

I've disabled IPv6; thank you all for the kind help

Please confirm its all working as required now!

All is working well; the previously-shared config works perfectly.
I added the ipv6 disable-ing but that's it.

Thank you all for the help.

I have marked @erlinden 's answer as the solution, but thank you @anav for the precious help