Help swapping to Bridge VLAN filtering

FlippinTurt · February 9, 2025, 8:15pm

Hi all.

I currently have a RB5009 setup with vlans assigned to interfaces then assigned to a bridge (see below)
However I would like to change this to use the bridge’s vlan filtering (Having some issues where I believe using the ports with vlan interfaces is breaking some traffic)
I am not sure what the best method is to achieve this / clean this up, so any help would be greatly appreciated

Trunk port goes to another switch (management interface is not currently on a vlan, so the trunk port itself is in the br_mgmt group), uAP dishes out some vlans for the IoT, personal, gaming network, the uap itself resides on the mgmt network

This is my current interface config,
7.18beta2
RB5009UPr+S+

/interface bridge add name=br_docker
/interface bridge add name=br_gaming
/interface bridge add name=br_guest
/interface bridge add name=br_iot
/interface bridge add name=br_lab
/interface bridge add name=br_mgmt
/interface bridge add name=br_personal
/interface bridge add name=br_vms
/interface ethernet set [ find default-name=ether1 ] name=ether1-Trunk poe-out=off
/interface ethernet set [ find default-name=ether2 ] name=ether2-UAP7
/interface ethernet set [ find default-name=ether3 ] name=ether3-Artemis
/interface ethernet set [ find default-name=ether4 ] name=ether4-PC
/interface ethernet set [ find default-name=ether5 ] name=ether5-PS5
/interface ethernet set [ find default-name=ether6 ] name=ether6-AppleTV
/interface ethernet set [ find default-name=ether7 ] name=ether7-Tapo
/interface ethernet set [ find default-name=ether8 ] name=ether8-UNIT_WAN
/interface wireguard add listen-port=13827 mtu=1420 name=WG-1
/interface wireguard add listen-port=13631 mtu=1420 name=WG-4
/interface wireguard add disabled=yes listen-port=57834 mtu=1420 name=WG-Hermes
/interface wireguard add listen-port=13239 mtu=1420 name=WG-3
/interface wireguard add listen-port=13820 mtu=1420 name=WG-2
/interface wireguard add listen-port=13531 mtu=1420 name=WG-5
/interface wireguard add comment="Thoth WG" listen-port=13731 mtu=1420 name=WG-6
/interface vlan add interface=ether2-UAP7 name=v11.pers-uap vlan-id=11
/interface vlan add interface=ether1-Trunk name=v11.personal vlan-id=11
/interface vlan add interface=ether2-UAP7 name=v15.game-uap vlan-id=15
/interface vlan add interface=ether1-Trunk name=v15.gaming vlan-id=15
/interface vlan add interface=ether1-Trunk name=v20.guest vlan-id=20
/interface vlan add interface=ether2-UAP7 name=v20.guest-uap vlan-id=20
/interface vlan add interface=ether1-Trunk name=v30.iot vlan-id=30
/interface vlan add interface=ether2-UAP7 name=v30.iot-uap vlan-id=30
/interface vlan add interface=ether1-Trunk name=v40.docker vlan-id=40
/interface vlan add interface=ether1-Trunk name=v50.vms vlan-id=50
/interface vlan add interface=ether1-Trunk name=v66.lab vlan-id=66
/interface vlan add interface=ether1-Trunk name=v100.mgmt vlan-id=100
/interface vlan add disabled=yes interface=ether2-UAP7 name=v100.mgmt-uap vlan-id=1
00
/interface list add name=wan
/interface list add name=lan
/interface bridge port add bridge=br_personal interface=v11.personal
/interface bridge port add bridge=br_mgmt interface=v100.mgmt
/interface bridge port add bridge=br_guest interface=v20.guest
/interface bridge port add bridge=br_iot interface=v30.iot
/interface bridge port add bridge=br_docker interface=v40.docker
/interface bridge port add bridge=br_gaming interface=ether5-PS5
/interface bridge port add bridge=br_vms interface=v50.vms
/interface bridge port add bridge=br_personal interface=ether6-AppleTV
/interface bridge port add bridge=br_iot interface=ether7-Tapo
/interface bridge port add bridge=br_iot interface=ether3-Artemis
/interface bridge port add bridge=br_lab interface=v66.lab
/interface bridge port add bridge=br_gaming interface=v15.gaming
/interface bridge port add bridge=br_guest interface=v20.guest-uap
/interface bridge port add bridge=br_iot interface=v30.iot-uap
/interface bridge port add bridge=br_gaming interface=v15.game-uap
/interface bridge port add bridge=br_personal interface=v11.pers-uap
/interface bridge port add bridge=br_mgmt interface=ether2-UAP7
/interface bridge port add bridge=br_gaming interface=ether4-PC
/interface bridge port add bridge=br_mgmt disabled=yes interface=sfp-sfpplus1
/interface bridge port add bridge=br_mgmt interface=ether1-Trunk
/interface bridge settings set use-ip-firewall=yes
/interface list member add interface=ether8-UNIT_WAN list=wan
/interface list member add interface=WG-1 list=wan
/interface list member add interface=WG-2 list=wan
/interface list member add disabled=yes interface=br_guest list=wan
/interface list member add interface=br_iot list=lan
/interface list member add interface=br_personal list=lan
/interface list member add interface=br_guest list=lan
/interface list member add interface=br_mgmt list=lan
/interface list member add interface=br_vms list=lan
/interface list member add interface=br_docker list=lan
/interface list member add interface=br_lab list=lan
/interface list member add interface=WG-5 list=wan
/interface list member add interface=WG-3 list=wan
/interface list member add interface=br_gaming list=lan
/interface list member add interface=WG-4 list=wan
/interface list member add disabled=yes interface=WG-6 list=lan
/interface list member add comment=thoth disabled=yes interface=WG-6 list=lan
/interface list member add interface=sfp-sfpplus1 list=wan
/interface list member add interface=WG-Hermes list=wan

anav · February 9, 2025, 10:54pm

/export file=anynameyouwish (minus router serial number, any public WANIP information, keys )
Dont look at snippets.

FlippinTurt · February 9, 2025, 11:20pm

Don’t know what happened but it double posted :shrug:

FlippinTurt · February 10, 2025, 12:27am

100% honest, there is a lot going on and it’s a bit of a mess but I am trying to tidy it up slowly. Hopefully it makes sense to you

# 2025-02-10 07:50:55 by RouterOS 7.18beta2
#
# model = RB5009UPr+S+
/interface bridge add name=br_docker
/interface bridge add name=br_gaming
/interface bridge add name=br_guest
/interface bridge add name=br_iot
/interface bridge add name=br_lab
/interface bridge add name=br_mgmt
/interface bridge add name=br_personal
/interface bridge add name=br_vms
/interface ethernet set [ find default-name=ether1 ] name=ether1-Trunk poe-out=off
/interface ethernet set [ find default-name=ether2 ] name=ether2-UAP7
/interface ethernet set [ find default-name=ether3 ] name=ether3-Artemis
/interface ethernet set [ find default-name=ether4 ] name=ether4-PC
/interface ethernet set [ find default-name=ether5 ] name=ether5-PS5
/interface ethernet set [ find default-name=ether6 ] name=ether6-AppleTV
/interface ethernet set [ find default-name=ether7 ] name=ether7-Tapo
/interface ethernet set [ find default-name=ether8 ] name=ether8-UNIT_WAN
/interface wireguard add listen-port=13827 mtu=1420 name=WG-1
/interface wireguard add listen-port=13631 mtu=1420 name=WG-4
/interface wireguard add disabled=yes listen-port=57834 mtu=1420 name=WG-Hermes
/interface wireguard add listen-port=13239 mtu=1420 name=WG-3
/interface wireguard add listen-port=13820 mtu=1420 name=WG-2
/interface wireguard add listen-port=13531 mtu=1420 name=WG-5
/interface wireguard add comment="Thoth WG" listen-port=13731 mtu=1420 name=WG-6
/interface vlan add interface=ether2-UAP7 name=v11.pers-uap vlan-id=11
/interface vlan add interface=ether1-Trunk name=v11.personal vlan-id=11
/interface vlan add interface=ether2-UAP7 name=v15.game-uap vlan-id=15
/interface vlan add interface=ether1-Trunk name=v15.gaming vlan-id=15
/interface vlan add interface=ether1-Trunk name=v20.guest vlan-id=20
/interface vlan add interface=ether2-UAP7 name=v20.guest-uap vlan-id=20
/interface vlan add interface=ether1-Trunk name=v30.iot vlan-id=30
/interface vlan add interface=ether2-UAP7 name=v30.iot-uap vlan-id=30
/interface vlan add interface=ether1-Trunk name=v40.docker vlan-id=40
/interface vlan add interface=ether1-Trunk name=v50.vms vlan-id=50
/interface vlan add interface=ether1-Trunk name=v66.lab vlan-id=66
/interface vlan add interface=ether1-Trunk name=v100.mgmt vlan-id=100
/interface vlan add disabled=yes interface=ether2-UAP7 name=v100.mgmt-uap vlan-id=100
/interface list add name=wan
/interface list add name=lan
/ip pool add name=guest_pool ranges=192.168.20.100-192.168.20.200
/ip pool add name=iot_pool ranges=10.20.30.180-10.20.30.200
/ip pool add name=docker_pool ranges=10.20.40.180-10.20.40.200
/ip pool add name=vm_pool ranges=10.20.50.180-10.20.50.200
/ip pool add name=mgmt_pool ranges=10.20.10.180-10.20.10.200
/ip pool add name=personal_pool ranges=10.20.20.180-10.20.20.200
/ip pool add name=lab_pool ranges=10.20.66.100-10.20.66.200
/ip pool add name=gaming_pool ranges=10.20.15.180-10.20.15.200
/ip dhcp-server add address-pool=personal_pool interface=br_personal name=personal_dhcp
/ip dhcp-server add address-pool=guest_pool interface=br_guest name=guest_dhcp
/ip dhcp-server add address-pool=iot_pool interface=br_iot name=iot_dhcp
/ip dhcp-server add address-pool=docker_pool interface=br_docker name=docker_dhcp
/ip dhcp-server add address-pool=vm_pool interface=br_vms name=vm_dhcp
/ip dhcp-server add address-pool=mgmt_pool interface=br_mgmt name=mgmt_dhcp
/ip dhcp-server add address-pool=lab_pool interface=br_lab name=lab_dhcp
/ip dhcp-server add address-pool=gaming_pool interface=br_gaming name=gaming_dhcp
/routing pimsm instance add disabled=no name=pim-sm vrf=main
/routing table add disabled=no fib name=Unit
/routing table add disabled=no fib name=WG-1
/routing table add disabled=no fib name=WG-2
/routing table add disabled=no fib name=WG-5
/routing table add disabled=no fib name=WG-3
/routing table add disabled=no fib name=WG-4
/routing table add disabled=no fib name=WG-6
/routing table add disabled=no fib name=WG-BNL
/routing table add disabled=no fib name=LTE
/snmp community set [ find default=yes ] disabled=yes
/snmp community add addresses=10.20.10.0/24,10.20.20.0/24,10.20.30.0/24,10.20.40.0/24,10.20.50.0/24,10.20.15.0/24 name=turthome
/system logging action add name=logserver remote=10.20.50.15 target=remote
/interface bridge port add bridge=br_personal interface=v11.personal
/interface bridge port add bridge=br_mgmt interface=v100.mgmt
/interface bridge port add bridge=br_guest interface=v20.guest
/interface bridge port add bridge=br_iot interface=v30.iot
/interface bridge port add bridge=br_docker interface=v40.docker
/interface bridge port add bridge=br_gaming interface=ether5-PS5
/interface bridge port add bridge=br_vms interface=v50.vms
/interface bridge port add bridge=br_personal interface=ether6-AppleTV
/interface bridge port add bridge=br_iot interface=ether7-Tapo
/interface bridge port add bridge=br_iot interface=ether3-Artemis
/interface bridge port add bridge=br_lab interface=v66.lab
/interface bridge port add bridge=br_gaming interface=v15.gaming
/interface bridge port add bridge=br_guest interface=v20.guest-uap
/interface bridge port add bridge=br_iot interface=v30.iot-uap
/interface bridge port add bridge=br_gaming interface=v15.game-uap
/interface bridge port add bridge=br_personal interface=v11.pers-uap
/interface bridge port add bridge=br_mgmt interface=ether2-UAP7
/interface bridge port add bridge=br_gaming interface=ether4-PC
/interface bridge port add bridge=br_mgmt disabled=yes interface=sfp-sfpplus1
/interface bridge port add bridge=br_mgmt interface=ether1-Trunk
/interface bridge settings set use-ip-firewall=yes
/ip neighbor discovery-settings set discover-interface-list=!wan
/ip settings set rp-filter=loose
/interface list member add interface=ether8-UNIT_WAN list=wan
/interface list member add interface=WG-1 list=wan
/interface list member add interface=WG-2 list=wan
/interface list member add disabled=yes interface=br_guest list=wan
/interface list member add interface=br_iot list=lan
/interface list member add interface=br_personal list=lan
/interface list member add interface=br_guest list=lan
/interface list member add interface=br_mgmt list=lan
/interface list member add interface=br_vms list=lan
/interface list member add interface=br_docker list=lan
/interface list member add interface=br_lab list=lan
/interface list member add interface=WG-5 list=wan
/interface list member add interface=WG-3 list=wan
/interface list member add interface=br_gaming list=lan
/interface list member add interface=WG-4 list=wan
/interface list member add disabled=yes interface=WG-6 list=lan
/interface list member add comment=thoth disabled=yes interface=WG-6 list=lan
/interface list member add interface=sfp-sfpplus1 list=wan
/interface list member add interface=WG-Hermes list=wan
/ip address add address=10.20.20.1/24 interface=br_personal network=10.20.20.0
/ip address add address=192.168.20.1/24 interface=br_guest network=192.168.20.0
/ip address add address=10.20.40.1/24 interface=br_docker network=10.20.40.0
/ip address add address=10.20.50.1/24 interface=br_vms network=10.20.50.0
/ip address add address=10.20.10.1/24 interface=br_mgmt network=10.20.10.0
/ip address add address=10.2.0.2/30 interface=WG-1 network=10.2.0.0
/ip address add address=10.4.0.2/30 interface=WG-3 network=10.4.0.0
/ip address add address=10.13.199.2/24 disabled=yes interface=br_guest network=10.13.199.0
/ip address add address=10.20.30.1/24 interface=br_iot network=10.20.30.0
/ip address add address=10.20.66.1/24 interface=br_lab network=10.20.66.0
/ip address add address=10.5.5.2/24 interface=WG-5 network=10.5.5.0
/ip address add address=10.3.0.2/30 comment=WG-2 interface=WG-2 network=10.3.0.0
/ip address add address=10.20.15.1/24 interface=br_gaming network=10.20.15.0
/ip address add address=10.6.6.2/24 interface=WG-4 network=10.6.6.0
/ip address add address=10.7.7.1/24 interface=WG-6 network=10.7.7.0
/ip address add address=10.2.255.2/24 disabled=yes interface=v15.game-uap network=10.2.255.0
/ip arp add address=10.20.30.251 comment=Broadcast4Gamer interface=br_iot mac-address=FF:FF:FF:FF:FF:FF
/ip arp add address=10.20.15.251 comment=Broadcast4Gamer interface=br_gaming mac-address=FF:FF:FF:FF:FF:FF
/ip cloud set ddns-enabled=yes ddns-update-interval=30m
/ip dhcp-client add add-default-route=no interface=ether8-UNIT_WAN use-peer-dns=no use-peer-ntp=no
/ip dhcp-client
# Interface not active
add add-default-route=no interface=sfp-sfpplus1 use-peer-dns=no use-peer-ntp=no
/ip dhcp-server network add address=10.20.10.0/24 comment=mgmt_dhcp dns-server=10.20.30.6,10.20.40.6 gateway=10.20.10.1 ntp-server=10.20.40.254
/ip dhcp-server network add address=10.20.15.0/24 comment=gaming_dhcp dns-server=10.20.40.6,10.20.30.6 gateway=10.20.15.1 ntp-server=10.20.40.254
/ip dhcp-server network add address=10.20.20.0/24 comment=personal_dhcp dns-server=10.20.40.6,10.20.30.6 gateway=10.20.20.1 ntp-server=10.20.40.254
/ip dhcp-server network add address=10.20.30.0/24 comment=iot_dhcp dns-server=10.20.30.6,10.20.40.6 gateway=10.20.30.1 ntp-server=10.20.40.254
/ip dhcp-server network add address=10.20.40.0/24 comment=docker_dhcp dns-server=10.20.40.6,10.20.30.6 gateway=10.20.40.1 ntp-server=10.20.40.254
/ip dhcp-server network add address=10.20.50.0/24 comment=vm_dhcp dns-server=10.20.40.6,10.20.30.6 gateway=10.20.50.1 ntp-server=10.20.40.254
/ip dhcp-server network add address=10.20.66.0/24 comment=lab_dhcp dns-server=10.20.40.6,10.20.30.6 gateway=10.20.66.1 ntp-server=10.20.40.254
/ip dhcp-server network add address=192.168.20.0/24 comment=guest_dhcp dns-server=10.20.40.6,10.20.30.6 gateway=192.168.20.1
/ip dns set doh-max-concurrent-queries=100 mdns-repeat-ifaces=br_personal,br_iot,br_docker,br_gaming use-doh-server=https://cloudflare-dns.com/dns-query verify-doh-cert=yes
/ip dns static add address=1.1.1.1 name=cloudflare-dns.com type=A
/ip dns static add address=2606:4700::6810:f8f9 name=cloudflare-dns.com type=AAAA
/ip dns static add address=2606:4700::6810:f9f9 name=cloudflare-dns.com type=AAAA
/ip dns static add address=104.16.248.249 name=cloudflare-dns.com type=A
/ip dns static add address=104.16.249.249 name=cloudflare-dns.com type=A
/ip firewall address-list add address=10.20.20.0/24 list=trusted_admin
/ip firewall address-list add address=10.20.40.20 list=docker_allows
/ip firewall address-list add address=10.20.50.34 list=vm_allows
/ip firewall address-list add address=10.20.40.9 list=docker_allows
/ip firewall address-list add address=10.20.40.2 comment=Proxy list=docker_allows
/ip firewall address-list add address=10.20.40.69 comment=Stash list=docker_block
/ip firewall address-list add address=10.20.30.60 list=iot_block
/ip firewall address-list add address=10.20.20.250 list=multicast
/ip firewall address-list add address=10.20.30.250 list=multicast
/ip firewall address-list add address=10.20.40.250 list=multicast
/ip firewall address-list add address=10.20.50.250 list=multicast
/ip firewall address-list add address=10.20.50.13 list=vm_allows
/ip firewall address-list add address=10.20.40.30 list=docker_block
/ip firewall address-list add address=10.20.40.31 list=docker_block
/ip firewall address-list add address=10.20.40.32 list=docker_block
/ip firewall address-list add address=10.20.40.33 list=docker_block
/ip firewall address-list add address=10.20.40.34 list=docker_block
/ip firewall address-list add address=10.20.40.35 list=docker_block
/ip firewall address-list add address=10.20.50.20 list=vm_allows
/ip firewall address-list add address=54.168.160.148 list=sus_block
/ip firewall address-list add address=52.43.198.81 list=sus_block
/ip firewall address-list add address=52.197.145.140 list=sus_block
/ip firewall address-list add address=57.181.86.84 list=sus_block
/ip firewall address-list add address=54.95.87.80 list=sus_block
/ip firewall address-list add address=54.238.15.253 list=sus_block
/ip firewall address-list add address=44.238.9.232 list=sus_block
/ip firewall address-list add address=13.231.47.233 list=sus_block
/ip firewall address-list add address=54.199.125.90 list=sus_block
/ip firewall address-list add address=34.237.219.164 list=sus_block
/ip firewall address-list add address=54.234.53.197 list=sus_block
/ip firewall address-list add address=35.75.112.112 list=sus_block
/ip firewall address-list add address=discord.com list=web_allows
/ip firewall address-list add address=nz.pool.ntp.org list=ntp_servers
/ip firewall address-list add address=time.google.com list=ntp_servers
/ip firewall address-list add address=time.cloudflare.com list=ntp_servers
/ip firewall address-list add address=time.apple.com list=ntp_servers
/ip firewall address-list add address=10.20.40.254 comment=ntp-server list=docker_block
/ip firewall address-list add address=download.maxmind.com list=web_allows
/ip firewall address-list add address=tailscale.com list=web_allows
/ip firewall address-list add address=10.20.40.250 list=docker_block
/ip firewall address-list add address=10.20.30.250 list=iot_block
/ip firewall address-list add address=smtp.gmail.com list=web_allows
/ip firewall address-list add address=derp1-all.tailscale.com list=tailscale
/ip firewall address-list add address=derp2-all.tailscale.com list=tailscale
/ip firewall address-list add address=derp3-all.tailscale.com list=tailscale
/ip firewall address-list add address=derp4-all.tailscale.com list=tailscale
/ip firewall address-list add address=derp5-all.tailscale.com list=tailscale
/ip firewall address-list add address=derp6-all.tailscale.com list=tailscale
/ip firewall address-list add address=derp7-all.tailscale.com list=tailscale
/ip firewall address-list add address=derp8-all.tailscale.com list=tailscale
/ip firewall address-list add address=derp9-all.tailscale.com list=tailscale
/ip firewall address-list add address=der10-all.tailscale.com list=tailscale
/ip firewall address-list add address=derp11-all.tailscale.com list=tailscale
/ip firewall address-list add address=derp12-all.tailscale.com list=tailscale
/ip firewall address-list add address=derp13-all.tailscale.com list=tailscale
/ip firewall address-list add address=derp14-all.tailscale.com list=tailscale
/ip firewall address-list add address=derp15-all.tailscale.com list=tailscale
/ip firewall address-list add address=derp16-all.tailscale.com list=tailscale
/ip firewall address-list add address=derp17-all.tailscale.com list=tailscale
/ip firewall address-list add address=derp18-all.tailscale.com list=tailscale
/ip firewall address-list add address=derp19-all.tailscale.com list=tailscale
/ip firewall address-list add address=derp20-all.tailscale.com list=tailscale
/ip firewall address-list add address=derp21-all.tailscale.com list=tailscale
/ip firewall address-list add address=derp22-all.tailscale.com list=tailscale
/ip firewall address-list add address=derp23-all.tailscale.com list=tailscale
/ip firewall address-list add address=derp24-all.tailscale.com list=tailscale
/ip firewall address-list add address=derp25-all.tailscale.com list=tailscale
/ip firewall address-list add address=login.tailscale.com list=tailscale
/ip firewall address-list add address=controlplane.tailscale.com list=tailscale
/ip firewall address-list add address=log.tailscale.com list=tailscale
/ip firewall address-list add address=log.tailscale.io list=tailscale
/ip firewall address-list add address=10.20.40.70 comment=ipam list=docker_block
/ip firewall address-list add address=10.20.15.35 comment="Quest\?" disabled=yes list=gaming_block
/ip firewall address-list add address=10.20.40.55 list=downloaders
/ip firewall address-list add address=10.20.40.56 list=downloaders
/ip firewall address-list add address=10.20.40.57 list=downloaders
/ip firewall address-list add address=api.ipify.org list=web_allows
/ip firewall address-list add address=1.1.1.1 list=web_allows
/ip firewall address-list add address=10.20.50.40 list=vm_allows
/ip firewall address-list add address=10.20.40.45 comment=tdarr list=docker_block
/ip firewall address-list add address=10.20.40.46 comment=tdarr-node list=docker_block
/ip firewall address-list add address=10.20.50.99 comment=rdesktop list=vm_allows
/ip firewall address-list add address=10.20.30.15 comment=Reolink list=iot_block
/ip firewall address-list add address=10.20.50.41 comment=macos list=vm_allows
/ip firewall address-list add address=10.20.40.120 comment=Frigate list=docker_block
/ip firewall address-list add address=10.20.30.44 comment=Porch disabled=yes list=iot_block
/ip firewall address-list add address=10.20.50.52 comment=Singularity list=vm_allows
/ip firewall address-list add address=10.20.40.71 comment=ipam-cron list=docker_block
/ip firewall address-list add address=206.83.98.120 list=Thoth
/ip firewall address-list add address=10.20.30.90 comment="HP Printer" list=iot_block
/ip firewall filter add action=drop chain=input comment="=== INPUT: (A) BLOCKLISTS / KNOWN BAD SOURCES ===" disabled=yes
/ip firewall filter add action=drop chain=input log=yes log-prefix=FI_D_Firehol src-address-list=firehol
/ip firewall filter add action=drop chain=input log=yes log-prefix=FI_D_Sus src-address-list=sus_block
/ip firewall filter add action=drop chain=input comment="=== INPUT: (B) DEFAULT STATE HANDLING ===" disabled=yes
/ip firewall filter add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
/ip firewall filter add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid log=yes log-prefix=FI_D_Invalid
/ip firewall filter add action=drop chain=input comment="=== INPUT: (C) ICMP & ADMIN/WG ACCESS ===" disabled=yes
/ip firewall filter add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp src-address-list=trusted_admin
/ip firewall filter add action=accept chain=input comment="defconf: accept ICMP" log=yes log-prefix=FI_A_Ares src-address=10.6.6.1
/ip firewall filter add action=accept chain=input comment="defconf: accept ICMP" log=yes log-prefix=FI_A_Thoth src-address=10.7.7.2
/ip firewall filter add action=accept chain=input comment="defconf: allow admin to router" in-interface-list=lan log-prefix=FI_A_Lan
/ip firewall filter add action=accept chain=input comment="Allow ThothWG in" in-interface=WG-6 log=yes log-prefix=FI_A_WGThoth
/ip firewall filter add action=accept chain=input comment="Allow ThothWG in" dst-port=13731 in-interface=WG-4 log=yes log-prefix=FI_A_WGThoth protocol=udp
/ip firewall filter add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
/ip firewall filter add action=accept chain=input comment="Allow lan DNS queries - TCP" dst-port=53 in-interface-list=lan log-prefix=TCPDNS>> protocol=tcp
/ip firewall filter add action=drop chain=input comment="=== INPUT: (D) FINAL DROP ===" disabled=yes
/ip firewall filter add action=drop chain=input comment="drop all else" log=yes log-prefix=FI_D_Other
/ip firewall filter add action=drop chain=forward comment="=== FORWARD: (A) JUMP TO KID-CONTROL ===" disabled=yes
/ip firewall filter add action=jump chain=forward comment="jump to kid-control rules" jump-target=kid-control
/ip firewall filter add action=drop chain=forward comment="=== FORWARD: (B) BLOCKLISTS / KNOWN BAD SOURCES ===" disabled=yes
/ip firewall filter add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes log-prefix=FF_F_Fasttrack
/ip firewall filter add action=drop chain=forward dst-address-list=firehol log=yes log-prefix=FF_D_Firehol
/ip firewall filter add action=drop chain=forward log=yes log-prefix=FF_D_Firehol src-address-list=firehol
/ip firewall filter add action=drop chain=forward dst-address-list=sus_block log=yes log-prefix=FF_D_Sus
/ip firewall filter add action=drop chain=forward comment="=== FORWARD: (C) DEFAULT STATE HANDLING ===" disabled=yes
/ip firewall filter add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
/ip firewall filter add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid log=yes log-prefix=FF_D_Invalid
/ip firewall filter add action=drop chain=forward comment="=== FORWARD: (D) LAN-TO-LAN / SERVICE ALLOWS ===" disabled=yes
/ip firewall filter add action=accept chain=forward comment="Allow Plex" in-interface-list=lan log-prefix=FF_A_S out-interface-list=lan src-address=10.20.40.9
/ip firewall filter add action=accept chain=forward comment="Allow Plex" dst-address=10.20.40.9 in-interface-list=lan log-prefix=FF_A_S out-interface-list=lan
/ip firewall filter add action=accept chain=forward comment="Allow NTP" in-interface-list=lan log-prefix=FF_A_NTP out-interface-list=lan protocol=udp src-address=10.20.40.254 src-port=123
/ip firewall filter add action=accept chain=forward comment="Allow NTP" dst-address=10.20.40.254 dst-port=123 in-interface-list=lan log-prefix=FF_A_NTP out-interface-list=lan protocol=udp
/ip firewall filter add action=accept chain=forward comment="Allow Privoxy" dst-address=10.20.40.100 dst-port=8118 in-interface=!br_guest in-interface-list=lan log=yes log-prefix=FF_A_Proxy out-interface-list=lan protocol=tcp
/ip firewall filter add action=accept chain=forward comment="Allow mDNS" dst-port=5353 in-interface-list=lan log-prefix=FF_A_mDNS out-interface-list=lan protocol=udp
/ip firewall filter add action=accept chain=forward comment="Allow DNS" dst-address=10.20.40.6 in-interface-list=lan out-interface-list=lan
/ip firewall filter add action=accept chain=forward comment="Allow DNS2" dst-address=10.20.30.6 in-interface-list=lan out-interface-list=lan
/ip firewall filter add action=accept chain=forward comment="Allow AptProxy" dst-address=10.20.40.7 in-interface-list=lan log-prefix=FF_A_AptProxy out-interface-list=lan
/ip firewall filter add action=accept chain=forward comment="Allow SwiftFin" dst-address=10.20.40.85 in-interface-list=lan log-prefix=FF_A_S out-interface-list=lan
/ip firewall filter add action=accept chain=forward comment="Allow LocalProxy" dst-address=10.20.40.3 dst-port=443 in-interface-list=lan log=yes log-prefix=FF_A_LCLPRX out-interface-list=lan protocol=tcp
/ip firewall filter add action=accept chain=forward comment="AppleTV All LAN" in-interface-list=lan log=yes log-prefix=FF_A_AppleTV out-interface=!br_mgmt out-interface-list=lan src-address=10.20.20.150
/ip firewall filter add action=accept chain=forward comment="Allow LocalSNMP" dst-address=10.20.40.251 in-interface=!br_guest in-interface-list=lan log=yes log-prefix=FF_A_LCLSNMP out-interface-list=lan port=161 protocol=udp
/ip firewall filter add action=accept chain=forward comment="Allow LocalSNMP" in-interface-list=lan log=yes log-prefix=FF_A_LCLSNMP out-interface=!br_guest out-interface-list=lan port=161 protocol=udp src-address=10.20.40.251
/ip firewall filter add action=accept chain=forward comment="Allow libreping" in-interface-list=lan log-prefix=FF_A_LCLSNMP out-interface=!br_guest protocol=icmp src-address=10.20.40.251
/ip firewall filter add action=accept chain=forward comment="Allow libreping" in-interface=br_docker log-prefix=FF_A_SNMP out-interface=WG-6 port=161 protocol=udp src-address=10.20.40.251
/ip firewall filter add action=accept chain=forward comment="Allow libreping" dst-address=10.20.40.251 in-interface=WG-6 log-prefix=FF_A_SNMP out-interface=br_docker port=161 protocol=udp
/ip firewall filter add action=accept chain=forward comment="Allow Gamer2Minerva" dst-address=10.20.15.10 in-interface=br_gaming log-prefix=FF_A_SNMP out-interface=br_gaming
/ip firewall filter add action=accept chain=forward comment="Allow IGMP/MDNS" in-interface-list=lan log=yes log-prefix=FF_A_IGMP out-interface=!br_guest out-interface-list=lan protocol=igmp
/ip firewall filter add action=drop chain=forward comment="=== FORWARD: (E) VLAN-TO-WAN RULES ===" disabled=yes
/ip firewall filter add action=drop chain=forward comment="==Allow VLANs 2 WAN==" disabled=yes log-prefix=FF_A_Apple
/ip firewall filter add action=accept chain=forward comment="Personal 2 WAN" in-interface=br_personal out-interface-list=wan src-address=!10.20.20.250
/ip firewall filter add action=accept chain=forward comment="Guest 2 Wan" in-interface=br_guest out-interface-list=wan
/ip firewall filter add action=accept chain=forward comment="Gaming 2 WAN" in-interface=br_gaming out-interface-list=wan src-address-list=!gaming_block
/ip firewall filter add action=accept chain=forward comment="VMs 2 WAN" in-interface=br_vms out-interface-list=wan src-address-list=vm_allows
/ip firewall filter add action=accept chain=forward comment="IoT 2 WAN" in-interface=br_iot out-interface-list=wan src-address-list=!iot_block
/ip firewall filter add action=accept chain=forward comment="MGMT 2 WAN" in-interface=br_mgmt out-interface-list=wan src-address=10.20.10.10
/ip firewall filter add action=accept chain=forward comment="MGMT 2 WAN" in-interface=br_mgmt out-interface-list=wan src-address=10.20.10.51
/ip firewall filter add action=accept chain=forward comment="MGMT 2 WAN" in-interface=br_mgmt out-interface-list=wan src-address=10.20.10.15
/ip firewall filter add action=accept chain=forward comment="Docker 2 WAN" in-interface=br_docker out-interface-list=wan src-address-list=!docker_block
/ip firewall filter add action=drop chain=forward comment="==Extra WAN Allows==" disabled=yes log-prefix=FF_A_Apple
/ip firewall filter add action=accept chain=forward comment="VM to Web allows" dst-address-list=web_allows in-interface=br_vms out-interface-list=wan src-address-list=!vm_allows
/ip firewall filter add action=accept chain=forward comment="PDW 2 SMTP" dst-port=465 in-interface=br_vms out-interface-list=wan protocol=tcp src-address=10.20.50.12
/ip firewall filter add action=accept chain=forward comment="NTP 2 NTP's" dst-address-list=ntp_servers in-interface=br_docker out-interface-list=wan src-address=10.20.40.254
/ip firewall filter add action=drop chain=forward comment="==Allow Inter-VLAN==" disabled=yes log-prefix=FF_A_Apple
/ip firewall filter add action=drop chain=forward comment="=== FORWARD: (F) INTER-VLAN ALLOWS ===" disabled=yes
/ip firewall filter add action=accept chain=forward comment="Docker 2 VMs" in-interface=br_docker out-interface=br_vms
/ip firewall filter add action=accept chain=forward comment="Docker 2 TurtGamer" dst-address=10.20.15.30 in-interface=br_docker out-interface=br_gaming
/ip firewall filter add action=accept chain=forward comment="Splunk 2 Docker" in-interface=br_vms out-interface=br_docker src-address=10.20.50.15
/ip firewall filter add action=accept chain=forward comment="Gamer 2 Tdarr" dst-address=10.20.40.45 in-interface=br_gaming out-interface=br_docker src-address=10.20.15.30
/ip firewall filter add action=accept chain=forward comment="Tdarr 2 Gamer" dst-address=10.20.15.30 in-interface=br_docker out-interface=br_gaming src-address=10.20.40.45
/ip firewall filter add action=accept chain=forward comment="Docker 2 IoT" in-interface=br_docker log=yes log-prefix=FF_A_Docker2IoT out-interface=br_iot
/ip firewall filter add action=accept chain=forward comment="Proxy 2 Unifi" dst-address=10.20.10.15 in-interface=br_docker out-interface=br_mgmt src-address=10.20.40.3
/ip firewall filter add action=accept chain=forward comment="Apple 2 IoT" in-interface=br_personal log-prefix=FF_A_Apple2IoT out-interface=br_iot src-address-list=apple_devices
/ip firewall filter add action=accept chain=forward comment=HomeBridge in-interface=br_personal log-prefix=FF_A_HomeBridge out-interface=!br_mgmt out-interface-list=lan src-address=10.20.20.155
/ip firewall filter add action=accept chain=forward comment=HomeBridge dst-address=10.20.20.155 in-interface-list=lan log-prefix=FF_A_HomeBridge out-interface=br_personal out-interface-list=lan
/ip firewall filter add action=accept chain=forward comment="Wireguard Temp" in-interface=br_iot log=yes log-prefix=FF_A_WireguardOpen out-interface-list=lan src-address-list=wireguard_list
/ip firewall filter add action=accept chain=forward comment="Remina to TurtG" dst-address=10.20.15.30 in-interface=br_vms out-interface=br_gaming src-address=10.20.50.2
/ip firewall filter add action=accept chain=forward comment="Me to all LAN" in-interface=br_personal out-interface-list=lan src-address-list=trusted_admin
/ip firewall filter add action=accept chain=forward comment="Remote all access" in-interface=br_gaming out-interface-list=lan src-address=10.20.15.31
/ip firewall filter add action=accept chain=forward comment="Allow mgmt VLAN to initiate to other VLANs" in-interface=br_mgmt out-interface-list=lan
/ip firewall filter add action=accept chain=forward comment="Allow  Remote lan" in-interface=br_vms log-prefix=FF_A_S out-interface-list=lan src-address=10.20.50.20
/ip firewall filter add action=drop chain=forward comment="=== FORWARD: (G) DST-NAT / PORT FORWARDS ===" disabled=yes
/ip firewall filter add action=accept chain=forward comment="port forwarding" connection-nat-state=dstnat log-prefix=FF_A_PortFwd
/ip firewall filter add action=drop chain=forward comment="=== FORWARD: (H) WIREGUARD / EXTERNAL INBOUND ===" disabled=yes
/ip firewall filter add action=accept chain=forward comment="WGAres in" in-interface=WG-4 log=yes log-prefix=FF_A_WG2VM out-interface=br_docker
/ip firewall filter add action=accept chain=forward comment="WGAres in" in-interface=WG-4 log=yes log-prefix=FF_A_WG2VM out-interface=br_vms
/ip firewall filter add action=accept chain=forward comment="WGAres in" in-interface=WG-4 log=yes log-prefix=FF_A_WG2VM out-interface=br_iot
/ip firewall filter add action=accept chain=forward comment="WGAres in" in-interface=WG-4 log=yes log-prefix=FF_A_WG2VM out-interface=br_gaming
/ip firewall filter add action=accept chain=forward comment="Allow to thoth" dst-address=192.168.1.0/24 in-interface=br_vms log-prefix=FF_A_LCLSNMP out-interface=WG-6 src-address=10.20.50.20
/ip firewall filter add action=drop chain=forward comment="=== FORWARD: (I) MISC INTER-VLAN / IOT / DOCKER ALLOWS ===" disabled=yes
/ip firewall filter add action=accept chain=forward comment="ipam ping" in-interface=br_docker out-interface-list=lan protocol=icmp src-address=10.20.40.70
/ip firewall filter add action=accept chain=forward comment="ipam ping" in-interface=br_docker out-interface-list=lan protocol=icmp src-address=10.20.40.71
/ip firewall filter add action=accept chain=forward comment="HassIO 2 IoT" dst-address-list=apple_devices in-interface=br_docker log=yes log-prefix=FF_A_HASSIO out-interface=br_personal src-address=10.20.40.8
/ip firewall filter add action=accept chain=forward comment="HassIO 2 IoT" in-interface=br_docker log=yes log-prefix=FF_A_HASSIO out-interface=br_iot src-address=10.20.40.8
/ip firewall filter add action=accept chain=forward comment="HassIO 2 IoT" dst-address=10.20.10.50 in-interface=br_docker log=yes log-prefix=FF_A_HASSIO out-interface=br_mgmt protocol=udp src-address=10.20.40.8
/ip firewall filter add action=accept chain=forward comment="HassIO 2 IoT" dst-address=10.20.10.50 dst-port=443 in-interface=br_docker log=yes log-prefix=FF_A_HASSIO out-interface=br_mgmt protocol=tcp src-address=10.20.40.8
/ip firewall filter add action=accept chain=forward comment="HassIO 2 IoT" dst-address=192.168.1.10 dst-port=8181 in-interface=br_docker log=yes log-prefix=FF_A_HASSIO out-interface=WG-6 protocol=tcp src-address=10.20.40.8
/ip firewall filter add action=accept chain=forward comment="Thoth 2 Plex" dst-address=10.20.40.9 in-interface=WG-6 log=yes log-prefix=FF_A_plx out-interface=br_docker
/ip firewall filter add action=accept chain=forward comment="Thoth 2 Plex" in-interface=br_docker log=yes log-prefix=FF_A_plx out-interface=WG-6 port=32400 protocol=tcp src-address=10.20.40.9
/ip firewall filter add action=accept chain=forward comment=PI2FRIG dst-address=10.20.40.120 in-interface=br_iot out-interface=br_docker port=8554 protocol=tcp src-address=10.20.30.6
/ip firewall filter add action=accept chain=forward comment=Kometa2Tau dst-address=192.168.1.10 dst-port=8181 in-interface=br_docker log=yes log-prefix=FF_A_Kometa out-interface=WG-6 protocol=tcp src-address=10.20.40.11
/ip firewall filter add action=accept chain=forward comment=Ollama dst-address=10.20.15.30 in-interface=br_docker log=yes log-prefix=FF_A_Ollama out-interface=br_gaming protocol=tcp src-address=10.20.40.125
/ip firewall filter add action=accept chain=forward comment=TRG-TDAR dst-address=10.20.40.45 in-interface=br_gaming out-interface=br_docker src-address=10.20.15.30
/ip firewall filter add action=accept chain=forward comment=Remote-Mac dst-address=10.20.20.55 in-interface=br_vms log=yes log-prefix=FF_A_REM2MAC out-interface=br_personal src-address=10.20.50.2
/ip firewall filter add action=accept chain=forward comment="Allow mgmt to respond to vms" disabled=yes in-interface=br_mgmt out-interface=br_vms
/ip firewall filter add action=drop chain=forward comment="=== FORWARD: (J) VLAN ISOLATION / FINAL DROPS ===" disabled=yes
/ip firewall filter add action=drop chain=forward comment="Block UDP 1900" dst-port=1900 in-interface=br_iot log-prefix=FF_D_NotGuest protocol=udp
/ip firewall filter add action=drop chain=forward comment="Isolate VLANS from others" in-interface=br_guest log=yes log-prefix=FF_D_NotGuest out-interface=!br_guest
/ip firewall filter add action=drop chain=forward in-interface=br_gaming log=yes log-prefix=FF_D_NotGaming out-interface=!br_gaming
/ip firewall filter add action=drop chain=forward in-interface=br_personal log=yes log-prefix=FF_D_NotPersonal out-interface=!br_personal
/ip firewall filter add action=reject chain=forward in-interface=br_iot log=yes log-prefix=FF_RJ_NotIoT out-interface=!br_iot reject-with=icmp-network-unreachable
/ip firewall filter add action=reject chain=forward in-interface=br_docker log=yes log-prefix=FF_RJ_NonDocker out-interface=!br_docker reject-with=icmp-network-unreachable
/ip firewall filter add action=reject chain=forward in-interface=br_lab log=yes log-prefix=FF_RJ_NotLab out-interface=!br_lab reject-with=icmp-network-unreachable
/ip firewall filter add action=reject chain=forward in-interface=br_vms log=yes log-prefix=FF_RJ_NotVMs out-interface=!br_vms reject-with=icmp-network-unreachable src-address=!10.20.50.34
/ip firewall filter add action=drop chain=forward comment="Block other VLANs from initiating to mgmt VLAN" in-interface=!br_mgmt log=yes log-prefix=FF_D_NotMgmt out-interface=br_mgmt
/ip firewall filter add action=drop chain=forward comment="drop all else" log=yes log-prefix=FF_D_Other
/ip firewall filter add action=drop chain=output comment="=== OUTPUT: BLOCKLISTS ===" disabled=yes
/ip firewall filter add action=drop chain=output dst-address-list=firehol log=yes log-prefix=FO_D_Firehol
/ip firewall mangle add action=change-ttl chain=prerouting in-interface=ether8-UNIT_WAN new-ttl=set:53
/ip firewall mangle add action=mark-packet chain=forward comment="Thoth Packet" new-packet-mark=I_Thoth src-address-list=Thoth
/ip firewall mangle add action=mark-packet chain=forward new-packet-mark=O_NZ out-interface=WG-2
/ip firewall mangle add action=mark-packet chain=forward new-packet-mark=O_AU out-interface=WG-1
/ip firewall mangle add action=mark-packet chain=forward new-packet-mark=O_Ares out-interface=WG-4
/ip firewall mangle add action=mark-packet chain=prerouting in-interface=WG-4 new-packet-mark=I_Ares
/ip firewall mangle add action=mark-packet chain=prerouting in-interface=WG-1 new-packet-mark=I_AU
/ip firewall mangle add action=mark-packet chain=prerouting in-interface=WG-2 new-packet-mark=I_NZ
/ip firewall mangle add action=mark-packet chain=forward comment=Smokeping2d new-packet-mark=O_Smokeping src-address=10.20.40.63
/ip firewall mangle add action=mark-packet chain=forward comment=Smokeping1 new-packet-mark=O_Smokeping src-address=10.20.40.64
/ip firewall mangle add action=mark-packet chain=forward comment=Smokeping2 new-packet-mark=O_Smokeping src-address=10.20.40.65
/ip firewall mangle add action=mark-packet chain=forward comment=Multicast new-packet-mark=O_mdns protocol=udp src-address-list=multicast src-port=5353
/ip firewall mangle add action=mark-packet chain=forward comment=Multicast dst-address-list=multicast dst-port=5353 new-packet-mark=I_mdns protocol=udp
/ip firewall mangle add action=mark-packet chain=forward comment=Tailscale dst-address-list=tailscale new-packet-mark=tailscale
/ip firewall mangle add action=mark-packet chain=forward comment=Tailscaler new-packet-mark=tailscale src-address-list=tailscale
/ip firewall mangle add action=mark-connection chain=forward comment="PC 2 Quest" dst-address=10.20.30.101 new-connection-mark=GamerStream src-address=10.20.30.90
/ip firewall mangle add action=mark-packet chain=forward comment="Mark Gaming Packets" connection-mark=GamerStream new-packet-mark=gaming_traffic passthrough=no
/ip firewall mangle add action=mark-packet chain=forward comment=Wireguard dst-address=10.20.30.6 dst-port=51829 new-packet-mark=Wireguard protocol=udp
/ip firewall mangle add action=add-dst-to-address-list address-list=wireguard_list address-list-timeout=5m chain=forward comment=Wireguard dst-address=10.20.30.6 dst-port=51829 log-prefix=MF_AD_Wireguard protocol=udp
/ip firewall mangle add action=add-src-to-address-list address-list=wireguard_Src address-list-timeout=5m chain=forward comment=Wireguard dst-address=10.20.30.6 dst-port=51829 log-prefix=MF_AD_WireguardSrc protocol=udp
/ip firewall mangle add action=mark-routing chain=prerouting disabled=yes new-routing-mark=WG-3 src-address-list=wireguard_list
/ip firewall mangle add action=mark-connection chain=forward dst-address-list=downloaders new-connection-mark=Downloaders out-interface-list=wan
/ip firewall mangle add action=mark-connection chain=forward in-interface-list=wan new-connection-mark=Downloaders src-address-list=downloaders
/ip firewall mangle add action=mark-packet chain=forward connection-mark=Downloaders disabled=yes new-packet-mark=download_pkt
/ip firewall mangle add action=mark-connection chain=prerouting comment="Split Route test" dst-port=51829 in-interface=WG-4 log-prefix=MR_MC_PrtFwd new-connection-mark=port_fwd_conn protocol=udp
/ip firewall mangle add action=mark-routing chain=prerouting connection-mark=port_fwd_conn in-interface=br_iot log-prefix=MR_MR_PortFwd new-routing-mark=WG-4 passthrough=no
/ip firewall mangle add action=mark-connection chain=prerouting comment="Plex Split Route" dst-port=33434 in-interface=WG-4 log-prefix=MR_MC_Plex new-connection-mark=plex_fwd_conn protocol=tcp
/ip firewall mangle add action=mark-routing chain=prerouting connection-mark=plex_fwd_conn disabled=yes in-interface=br_docker log-prefix=MR_MR_PlexFwd new-routing-mark=WG-3 passthrough=no
/ip firewall mangle add action=mark-connection chain=prerouting comment="atm9 Route" dst-port=25565 in-interface=WG-4 log-prefix=MR_MC_PrtFwd new-connection-mark=atm9_fwd_conn protocol=tcp
/ip firewall mangle add action=mark-routing chain=prerouting connection-mark=atm9_fwd_conn in-interface=br_gaming log-prefix=MR_MR_PortFwd new-routing-mark=WG-4 passthrough=no
/ip firewall mangle add action=mark-routing chain=prerouting comment=SplitRoute-WG disabled=yes dst-address-list=Thoth log-prefix=MR_MC_Thoth new-routing-mark=WG-4
/ip firewall mangle add action=mark-routing chain=prerouting connection-mark=wg_fwd_conn disabled=yes in-interface=WG-4 log-prefix=MR_MR_PortFwd new-routing-mark=WG-4 passthrough=no
/ip firewall nat add action=masquerade chain=srcnat comment="MASQ Unit" log=yes log-prefix=NS_M_Unit out-interface=ether8-UNIT_WAN
/ip firewall nat add action=masquerade chain=srcnat comment="MASQ WG45" log=yes log-prefix=NS_M_WGAU out-interface=WG-1
/ip firewall nat add action=masquerade chain=srcnat comment="MASQ WG21" log=yes log-prefix=NS_M_WGNZ out-interface=WG-2
/ip firewall nat add action=masquerade chain=srcnat comment="MASQ WG6" log-prefix=NS_M_WGNZ out-interface=WG-3
/ip firewall nat add action=masquerade chain=srcnat comment="MASQ WGThoth" log=yes log-prefix=NS_M_WGhoth out-interface=WG-6
/ip firewall nat add action=masquerade chain=srcnat comment="MASQ WGLin" log=yes log-prefix=NS_M_WGLi out-interface=WG-5
/ip firewall nat add action=masquerade chain=srcnat comment="MASQ LTE" log=yes log-prefix=NS_M_SFP out-interface=sfp-sfpplus1
/ip firewall nat add action=masquerade chain=srcnat comment="MASQ Hermes" log=yes log-prefix=NS_M_WGHermes out-interface=WG-Hermes
/ip firewall nat add action=masquerade chain=srcnat comment="MASQ WGVoyag" disabled=yes log=yes log-prefix=NS_M_WGAres out-interface=WG-4
/ip firewall nat add action=masquerade chain=srcnat comment="MASQ Thoth" disabled=yes log=yes log-prefix=NS_M_WGThoth out-interface=WG-6
/ip hotspot profile set [ find default=yes ] html-directory=hotspot
/ip ipsec profile set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip route add comment="WG NZ21" disabled=no distance=5 dst-address=0.0.0.0/0 gateway=10.3.0.1 pref-src="" routing-table=WG-2 scope=30 suppress-hw-offload=no target-scope=10
/ip route add comment="WG ID6" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=10.4.0.1 pref-src="" routing-table=WG-3 scope=30 suppress-hw-offload=no target-scope=10
/ip route add comment=UNIT_WAN disabled=no distance=5 dst-address=0.0.0.0/0 gateway=192.168.88.1 pref-src="" routing-table=Unit scope=30 suppress-hw-offload=no target-scope=10
/ip route add comment="WG AU" disabled=no distance=5 dst-address=0.0.0.0/0 gateway=10.2.0.1 pref-src="" routing-table=WG-1 scope=30 suppress-hw-offload=no target-scope=10
/ip route add comment="WG LINODE" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=10.5.5.1 pref-src="" routing-table=WG-5 scope=30 suppress-hw-offload=no target-scope=10
/ip route add comment="WG Voyag" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=10.6.6.1 pref-src="" routing-table=WG-4 scope=30 suppress-hw-offload=no target-scope=10
/ip route add disabled=no distance=10 dst-address=10.6.6.0/24 gateway=WG-4 routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/ip route add disabled=no distance=10 dst-address=10.5.5.1/32 gateway=WG-5 routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/ip route add comment="WG Voyag" disabled=yes distance=1 dst-address=0.0.0.0/0 gateway=10.6.6.1 pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/ip route add comment=Thoth disabled=yes distance=5 dst-address=192.168.1.0/24 gateway=10.20.10.10 pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/ip route add check-gateway=arp comment=UNIT_WAN disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.88.1 pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/ip route add comment=SealyHome disabled=no dst-address=192.168.1.0/24 gateway=10.7.7.2 routing-table=main suppress-hw-offload=no
/ip route add check-gateway=ping comment=LTE_WAN disabled=no distance=5 dst-address=0.0.0.0/0 gateway=10.10.10.1 pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/ip route add disabled=no dst-address=10.8.8.0/24 gateway=10.6.6.1 routing-table=main suppress-hw-offload=no
/ip route add check-gateway=ping comment=LTE_WAN disabled=no distance=1 dst-address=0.0.0.0/0 gateway=10.10.10.1 pref-src="" routing-table=LTE scope=30 suppress-hw-offload=no target-scope=10
/ip service set telnet disabled=yes
/ip service set ftp disabled=yes
/ip service set www address=10.20.50.20/32
/ip service set ssh address=10.20.20.0/24,10.20.15.31/32
/ip service set api address=10.20.20.50/32 disabled=yes port=8674
/ip service set winbox address=10.20.20.0/24,10.20.10.0/24,10.20.50.0/24
/ip service set api-ssl disabled=yes
/ip smb shares set [ find default=yes ] directory=pub
/ip traffic-flow set enabled=yes
/ip traffic-flow target add dst-address=10.20.50.16
/routing pimsm interface-template add disabled=no instance=pim-sm interfaces=br_personal,br_docker,br_iot
/routing rule add action=lookup-only-in-table comment=iotLAN disabled=no dst-address=10.20.30.0/24 table=main
/routing rule add action=lookup-only-in-table comment=DockerLAN disabled=no dst-address=10.20.40.0/24 table=main
/routing rule add action=lookup-only-in-table comment=VMLAN disabled=no dst-address=10.20.50.0/24 table=main
/routing rule add action=lookup-only-in-table comment=LABLAN disabled=no dst-address=10.20.66.0/24 table=main
/routing rule add action=lookup-only-in-table comment=PersonalLAN disabled=no dst-address=10.20.20.0/24 table=main
/routing rule add action=lookup-only-in-table comment=GamingLAN disabled=no dst-address=10.20.15.0/24 table=main
/routing rule add action=lookup-only-in-table comment=Zephyr disabled=no dst-address=10.10.10.0/24 table=main
/routing rule add action=lookup-only-in-table comment=mgmtLAN disabled=no dst-address=10.20.10.0/24 table=main
/routing rule add action=lookup-only-in-table comment=GuestLAN disabled=no dst-address=192.168.20.0/24 table=main
/routing rule add action=lookup-only-in-table disabled=no dst-address=192.168.1.0/24 table=main
/routing rule add action=lookup-only-in-table disabled=no dst-address=10.5.5.0/24 table=WG-5
/routing rule add action=lookup-only-in-table disabled=no dst-address=10.6.6.0/24 table=WG-4
/routing rule add action=lookup-only-in-table disabled=no dst-address=10.7.7.0/24 table=WG-6
/routing rule add action=lookup-only-in-table disabled=no dst-address=10.8.8.0/24 table=main

/routing rule add action=lookup comment=GamingLAN disabled=no src-address=10.20.15.0/24 table=Unit
/routing rule add action=lookup disabled=no src-address=10.20.10.0/24 table=WG-2
/routing rule add action=lookup disabled=no src-address=10.20.20.0/24 table=Unit
/routing rule add action=lookup disabled=no src-address=192.168.20.0/24 table=Unit
/routing rule add action=lookup disabled=no src-address=10.20.30.0/24 table=WG-2
/routing rule add action=lookup disabled=no src-address=10.20.40.0/24 table=WG-2
/routing rule add action=lookup disabled=no src-address=10.20.50.0/24 table=WG-1
/snmp set contact=turt enabled=yes location=home trap-community=turthome trap-version=2
/system clock set time-zone-name=Pacific/Auckland
/system identity set name=##########
/system leds add disabled=yes leds=user-led type=on
/system leds settings set all-leds-off=immediate
/system logging set 0 topics=info,!firewall
/system logging add topics=script
/system logging add action=logserver topics=wireguard
/system logging add action=logserver prefix="serial=HH50AAKD4R7 MikroTik" topics=hotspot
/system logging add action=logserver prefix="serial=HH50AAKD4R7 MikroTik" topics=!debug,!packet,!snmp
/system note set show-at-login=no
/system ntp client set enabled=yes
/system ntp client servers add address=10.20.40.254
/system package update set channel=development
/system scheduler add interval=1d name=UpdateCheck on-event="/system script run Update_Script" policy=read,write,policy,test start-date=2023-08-24 start-time=00:00:00
/system scheduler add interval=6d name=Firehol_execute on-event="/system script run Firehol_full" policy=ftp,read,write,policy,test,password,sniff,sensitive,romon start-date=2025-01-28 start-time=02:30:00
/system scheduler add interval=1w name=AUNZ_execute on-event="/system script run AUNZ_Script" policy=ftp,read,write,policy,test,sniff,sensitive,romon start-date=2023-08-24 start-time=00:00:00
/system scheduler add interval=5m name=Data_to_Splunk on-event="/system script run Data_to_Splunk_using_Syslog" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=2023-08-24 start-time=08:51:43
/tool bandwidth-server set enabled=no
/tool mac-server set allowed-interface-list=lan
/tool mac-server mac-winbox set allowed-interface-list=lan
/tool netwatch add comment=WG-Voyager disabled=no down-script=Netwatch host=10.6.6.1 http-codes="" interval=30s name=WG-Voyag_Watch src-address=10.6.6.2 test-script="" type=simple up-script=Netwatch
/tool netwatch add comment=WG-1 disabled=no down-script=Netwatch host=10.2.0.1 http-codes="" interval=30s name=WG-1_Watch src-address=10.2.0.2 test-script="" type=simple up-script=Netwatch
/tool netwatch add comment=WG-2 disabled=no down-script=Netwatch host=10.3.0.1 http-codes="" interval=30s name=WG-2_Watch src-address=10.3.0.2 test-script="" type=simple up-script=Netwatch
/tool netwatch add comment=WG-4 disabled=no down-script=" Netwatch" host=10.5.5.1 http-codes="" interval=30s name=WG-4_Watch src-address=10.5.5.2 test-script="" type=simple up-script=Netwatch
/tool netwatch add comment=WG-3 disabled=no down-script=Netwatch host=10.4.0.1 http-codes="" interval=30s name=WG-3_Watch src-address=10.4.0.2 test-script="" type=simple up-script=Netwatch
/tool netwatch add comment=WG-6 disabled=no down-script=Netwatch host=10.7.7.2 http-codes="" interval=5m name=WG-6_Watch src-address=10.7.7.1 test-script="" type=simple up-script=Netwatch
/tool sniffer set filter-stream=yes streaming-enabled=yes streaming-server=10.20.10.10:30555

anav · February 10, 2025, 5:34pm

Read this article. http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1
ONE BRIDGE
all vlans associated to bridge
management or trusted vlan is where all smart devices ( can read vlan tags ) get their IP address from.

Highly recommend you configure from a safe spot.
take one port lets say ether8 off ANY bridge, give it an address and ensure its part of LAN or TRUSTED interface list.
/iinterface ethernet
set [ find default-name=ether8 ] name=OffBridge8
/ip address
add address=192.168.55.1/30 interface=OffBridge8 network=192.168.55.0
/interface list member
add interface=OffBridge8 list=LAN

Then plug your laptop into ether8, change the iPV4 settings to 192.168.55.2 and you should be able to gain access, thru usual login.

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Why so many wireguard interfaces…
Please explain your VPN needs more fuly.

FlippinTurt · February 10, 2025, 6:35pm

Read this article. http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1
ONE BRIDGE
all vlans associated to bridge
management or trusted vlan is where all smart devices ( can read vlan tags ) get their IP address from.

Highly recommend you configure from a safe spot.
take one port lets say ether8 off ANY bridge, give it an address and ensure its part of LAN or TRUSTED interface list.
/iinterface ethernet
set [ find default-name=ether8 ] name=OffBridge8
/ip address
add address=192.168.55.1/30 interface=OffBridge8 network=192.168.55.0
/interface list member
add interface=OffBridge8 list=LAN

Then plug your laptop into ether8, change the iPV4 settings to 192.168.55.2 and you should be able to gain access, thru usual login.

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Why so many wireguard interfaces…
Please explain your VPN needs more fuly.

Thanks for the link, that actually looks extremely helpful for what i’m needing
Never had to use bridge vlans, and previously had another switch in the setup so never really thought about it much until I upgraded to the 5009.

Re the Wireguards;
3 of them go to different countries via a vpn provider (and have rules to dictate what devices or subnets go to each tunnel), the rest go to other routers I have around the country/ another country mostly for management and metrics, one of them I use the static ip for a website / port forwarding (as I am currently behind CGNAT) For the sake of uploading the config here I removed their names and comments

anav · February 10, 2025, 7:13pm

Okay Understood,
Interfacex3 covers three third party VPNs to different locations ( or one company with three diff addresses )

InterfacexN interfaces covers connections to other routers.
However your router is only a client peer for handshake one other router is the actual server peer for handshake aka has a public WANIP.
So is it correct to assume all other routers connect to the server router for handshake.

If so then we need all routers wireguard settings and the peer server routers MT config as well if MT.

Do you control all routers ( are you the admin ). If not please describe your relationship
Do you ever travel to the other router sites as admin ??

FlippinTurt · February 10, 2025, 7:27pm

Yep, so in this instance WG-4 is a CHR on VPS, this is the primary public IP connection for my rb5009
WG-5, another CHR on VPS with a static IP, however this connection is used mainly for metrics from the router
WG-6 gets forwarded through WG-4, however I have been meaning to change this so it terminates at WG-4 instead of being passed on. WG-6 is also behind a CGNAT, as to why the rb5009 is acting as responder
These aren’t too important though as only one device on my LAN (metrics server) needs a connection to them, and then some devices (nginx, proxy etc) have access to WG-4 as the primary WAN