Help to setup mDNS through VLANs

Hello,

I have an ax3 with 3 VLAN setup (home, iot and guest), and an ax2 as CAP/switch.

I want to setup mDNS to work between VLANs, but I am a bit confused about firewall rules.

I have enabled mDNS:

/ip dns
set mdns-repeat-ifaces=vlan-home,vlan-iot,vlan-guest

My 3 VLANs are in a list named VLANS. I have a rule to deny traffic between the VLANS.

/ip firewall filter
add action=reject chain=forward comment="VLANS: isolated from each other" \
    in-interface-list=VLANS out-interface-list=VLANS reject-with=\
    icmp-admin-prohibited

Maybe I need to think about this and change to rules that only allow iot and guest access to WAN?

So, I have created a firewall rule like this, but not sure if it is the correct way to allow mDNS to work.

/ip firewall filter 
add action=accept chain=input comment=allow-mDNS dst-address=224.0.0.251 \
    dst-port=5353 in-interface-list=VLANS protocol=udp

The rule is placed before the “drop all not coming from LAN”.

Here is the complete export:

# 2026-05-06 19:32:36 by RouterOS 7.22.2
# software id = WAZD-3LKR
#
# model = C53UiG+5HPaxD2HPaxD
# serial number = 
/interface bridge
add admin-mac=F4:1E:57:9E:1B:29 auto-mac=no comment=defconf frame-types=\
    admit-only-vlan-tagged igmp-snooping=yes name=bridge vlan-filtering=yes
/interface eoip
add local-address=172.17.0.1 mac-address=FE:42:C5:9B:26:02 mtu=1500 name=\
    eoip-iptv-al remote-address=172.17.0.2 tunnel-id=0
add local-address=172.17.0.5 mac-address=FE:D9:9C:6F:15:2F mtu=1500 name=\
    eoip-iptv-cr remote-address=172.17.0.6 tunnel-id=1
/interface wireguard
add comment=back-to-home-vpn listen-port=6888 mtu=1420 name=back-to-home-vpn
add listen-port=54321 mtu=1420 name=wg-sts-iptv-al
add listen-port=54322 mtu=1420 name=wg-sts-iptv-cr
/interface vlan
add arp=reply-only interface=bridge name=vlan-guest vlan-id=30
add interface=bridge name=vlan-home vlan-id=10
add interface=bridge name=vlan-iot vlan-id=20
add interface=ether1 name=vlan2-iptv vlan-id=2
add interface=ether1 name=vlan3-telefono vlan-id=3
add interface=ether1 name=vlan6-internet vlan-id=6
/interface pppoe-client
add add-default-route=yes disabled=no interface=vlan6-internet name=internet \
    user=adslppp@telefonicanetpa
/interface ethernet switch
set 0 cpu-flow-control=yes
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add comment=vlans-iptv-voip name=VLANs2&3
add name=VLANS
/interface wifi channel
add band=2ghz-ax disabled=no frequency=2412 name=2,4Ghz-ch01 width=20mhz
add band=2ghz-ax disabled=no frequency=2462 name=2,4Ghz-ch11 width=20mhz
add band=5ghz-ax disabled=no frequency=5180 name=5Ghz-ch36 width=20/40/80mhz
add band=5ghz-ax disabled=no frequency=5500 name=5Ghz-ch100 width=20/40/80mhz
/interface wifi datapath
add bridge=bridge disabled=no name=wifi-home vlan-id=10
add bridge=bridge disabled=no name=wifi-iot vlan-id=20
add bridge=bridge client-isolation=yes disabled=no name=wifi-guest vlan-id=30
/interface wifi security
add authentication-types=wpa2-psk,wpa3-psk disabled=no ft=yes ft-over-ds=yes \
    name=home wps=disable
add authentication-types=wpa2-psk,wpa3-psk disabled=no ft=yes ft-over-ds=yes \
    name=iot wps=disable
add authentication-types=wpa2-psk,wpa3-psk disabled=no ft=yes ft-over-ds=yes \
    name=guest wps=disable
/interface wifi configuration
add channel=5Ghz-ch100 country=Spain datapath=wifi-home disabled=no \
    dtim-period=3 mode=ap name=5Ghz-local security=home ssid=Mikrotik
add channel=2,4Ghz-ch01 country=Spain datapath=wifi-home disabled=no \
    dtim-period=3 mode=ap name=2,4Ghz-cap security=home ssid=Mikrotik \
    tx-power=15
add channel=5Ghz-ch36 country=Spain datapath=wifi-home disabled=no \
    dtim-period=3 mode=ap name=5Ghz-cap security=home ssid=Mikrotik
add country=Spain datapath=wifi-iot disabled=no mode=ap name=iot security=iot \
    ssid=Mikrotik_IoT
add country=Spain datapath=wifi-guest disabled=no dtim-period=3 mode=ap name=\
    guest security=guest ssid=Mikrotik_Guests
/interface wifi
set [ find default-name=wifi1 ] configuration=5Ghz-local configuration.mode=\
    ap datapath=wifi-home disabled=no name=wifi-5ghz
add configuration=guest configuration.mode=ap disabled=no mac-address=\
    F6:1E:57:9E:1B:2D master-interface=wifi-5ghz name=wifi-5ghz-invitados
add configuration=iot configuration.mode=ap disabled=no mac-address=\
    F6:1E:57:9E:1B:2E master-interface=wifi-5ghz name=wifi-5ghz-iot
/ip dhcp-server option
add code=240 name=opch-imagenio value="':::::239.0.2.29:22222'"
/ip pool
add name=pool-home ranges=192.168.10.20-192.168.10.239
add name=pool-iptv ranges=192.168.10.241-192.168.10.254
add name=pool-iot ranges=192.168.20.2-192.168.20.254
add name=pool-guest ranges=192.168.30.2-192.168.30.254
/ip dhcp-server
add address-pool=pool-home interface=vlan-home name=dhcp-home
add address-pool=pool-iot interface=vlan-iot lease-time=1d name=dhcp-iot
add add-arp=yes address-pool=pool-guest interface=vlan-guest name=dhcp-guest
/routing rip instance
add afi=ip disabled=no name=rip
/system script
add comment=defconf dont-require-permissions=no name=dark-mode owner=*sys \
    policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    source="\r\
    \n   :if ([system leds settings get all-leds-off] = \"never\") do={\r\
    \n     /system leds settings set all-leds-off=immediate \r\
    \n   } else={\r\
    \n     /system leds settings set all-leds-off=never \r\
    \n   }\r\
    \n "
add comment=defconf dont-require-permissions=no name=wps-accept owner=*sys \
    policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    source="\r\
    \n   :foreach iface in=[/interface/wifi find where (configuration.mode=\"a\
    p\" && disabled=no)] do={\r\
    \n     /interface/wifi wps-push-button \$iface;}\r\
    \n "
/disk settings
set auto-media-interface=bridge auto-media-sharing=yes auto-smb-sharing=yes
/interface wifi
set [ find default-name=wifi2 ] configuration=2,4Ghz-local \
    configuration.mode=ap datapath=wifi-home disabled=no name=wifi-2,4ghz
add configuration=guest configuration.mode=ap disabled=no mac-address=\
    F6:1E:57:9E:1B:2F master-interface=wifi-2,4ghz name=wifi-2,4ghz-invitados
add configuration=iot configuration.mode=ap disabled=no mac-address=\
    F6:1E:57:9E:1B:30 master-interface=wifi-2,4ghz name=wifi-2,4ghz-iot
/interface bridge port
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether2 pvid=10
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether3 pvid=10
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether4 pvid=10
add bridge=bridge comment=defconf frame-types=admit-only-vlan-tagged \
    interface=ether5
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=eoip-iptv-al pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=eoip-iptv-cr pvid=10
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge comment=home tagged=bridge,ether5 vlan-ids=10
add bridge=bridge comment=iot tagged=bridge,ether5 vlan-ids=20
add bridge=bridge comment=guest tagged=bridge,ether5 vlan-ids=30
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=internet list=WAN
add interface=vlan2-iptv list=VLANs2&3
add interface=vlan3-telefono list=VLANs2&3
add interface=vlan-home list=LAN
add interface=vlan-home list=VLANS
add interface=vlan-iot list=VLANS
add interface=vlan-guest list=VLANS
/interface wifi capsman
set enabled=yes interfaces=vlan-home package-path="" \
    require-peer-certificate=no upgrade-policy=suggest-same-version
/interface wifi configuration
add channel=2,4Ghz-ch11 country=Spain datapath=*4 disabled=no dtim-period=3 \
    mode=ap name=2,4Ghz-local security=home ssid=Mikrotik tx-power=15
/interface wifi provisioning
add action=create-dynamic-enabled disabled=no master-configuration=2,4Ghz-cap \
    name-format=cap-2ghz radio-mac=78:9A:18:FE:B0:3F slave-configurations=\
    guest,iot
add action=create-dynamic-enabled disabled=no master-configuration=5Ghz-cap \
    name-format=cap-5ghz radio-mac=78:9A:18:FE:B0:3E slave-configurations=\
    guest,iot
/interface wireguard peers
add allowed-address=172.17.0.2/32 comment=gorron-iptv endpoint-address=\
    xxxxxx.sn.mynetname.net endpoint-port=54321 interface=wg-sts-iptv-al \
    name=peer1 public-key=""
add allowed-address=172.17.0.6/32 comment=gorron-iptv endpoint-address=\
    xxxxxx.sn.mynetname.net endpoint-port=54322 interface=wg-sts-iptv-cr \
    name=peer5 public-key=""
/ip address
add address=192.168.10.1/24 interface=vlan-home network=192.168.10.0
add address=192.168.20.1/24 interface=vlan-iot network=192.168.20.0
add address=192.168.30.1/24 interface=vlan-guest network=192.168.30.0
add address=my.iptv.fixed.ip/9 interface=vlan2-iptv network=10.128.0.0
add address=172.17.0.1/30 interface=wg-sts-iptv-al network=172.17.0.0
add address=172.17.0.5/30 interface=wg-sts-iptv-cr network=172.17.0.4
/ip cloud
set back-to-home-vpn=enabled ddns-enabled=yes
/ip cloud back-to-home-user
add allow-lan=yes name=C53UiG+5HPaxD2HPaxD public-key=\
    "xxxxxxxxxxx"
/ip dhcp-client
add add-default-route=no interface=vlan3-telefono name=client1 use-peer-dns=\
    no use-peer-ntp=no
/ip dhcp-server matcher
add address-pool=pool-iptv code=60 matching-type=exact name=descos server=\
    dhcp-home value="[IAL]"
/ip dhcp-server network
add address=192.168.10.0/24 comment=vlan-home dns-server=\
    45.90.28.20,45.90.30.20,192.168.10.1 gateway=192.168.10.1
add address=192.168.10.240/28 comment=iptv-network dhcp-option=opch-imagenio \
    dns-server=172.23.101.98 gateway=192.168.10.1 netmask=24
add address=192.168.20.0/24 comment=vlan-iot dns-server=\
    45.90.28.20,45.90.30.20,192.168.20.1 gateway=192.168.20.1
add address=192.168.30.0/24 comment=vlan-guest dns-server=\
    45.90.28.20,45.90.30.20,192.168.30.1 gateway=192.168.30.1 netmask=32
/ip dns
set mdns-repeat-ifaces=vlan-home,vlan-iot,vlan-guest servers=1.1.1.1,1.0.0.1 \
    verify-doh-cert=yes
/ip dns static
add address=192.168.10.1 comment=defconf name=router.lan type=A
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1 \
    in-interface=lo src-address=127.0.0.1
add action=accept chain=input comment="vlans: accept voip and iptv vlans" \
    in-interface-list=VLANs2&3
add action=accept chain=input comment="iptv: allow gre for eoip-al" \
    in-interface=wg-sts-iptv-al protocol=gre
add action=accept chain=input comment="iptv: allow gre for eoip-cr" \
    in-interface=wg-sts-iptv-cr protocol=gre
add action=accept chain=input comment="vpn: allow wireguard gorron-al" \
    dst-port=54321 protocol=udp
add action=accept chain=input comment="vpn: allow wireguard gorron-cr" \
    dst-port=54322 protocol=udp
add action=accept chain=input comment="VLANs can use router DNS" disabled=yes \
    dst-port=53 in-interface-list=VLANS protocol=udp
add action=accept chain=input comment=allow-mDNS dst-address=224.0.0.251 \
    dst-port=5353 in-interface-list=VLANS protocol=udp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    in-interface-list=WAN
add action=reject chain=forward comment="VLANS: isolated from each other" \
    in-interface-list=VLANS out-interface-list=VLANS reject-with=\
    icmp-admin-prohibited
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="VLANs2&3: masquerade" \
    out-interface-list=VLANs2&3
/ip firewall service-port
set rtsp disabled=no
/ip ssh
set host-key-type=ed25519 strong-crypto=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" \
    dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack6" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/ipv6 nd
set [ find default=yes ] advertise-dns=yes
/routing igmp-proxy interface
add alternative-subnets=0.0.0.0/0 interface=vlan2-iptv upstream=yes
add interface=vlan-home
/routing rip interface-template
add instance=rip interfaces=vlan2-iptv,vlan3-telefono mode=passive
/system clock
set time-zone-name=Europe/Madrid
/system identity
set name="hAP ax^3"
/system ntp client
set enabled=yes
/system ntp client servers
add address=hora.roa.es
add address=minuto.roa.es
/system routerboard mode-button
set enabled=yes on-event=dark-mode
/system routerboard wps-button
set enabled=yes on-event=wps-accept
/tool graphing resource
add
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool romon
set enabled=yes
/tool sniffer
set filter-interface=ether2

Thanks in advance!

Edit: See this post which shows that what this suggested was not the cause, as the connections show up as state new. So the rest of this can be ignored.

/ip firewall filter
add action=accept chain=input comment="allow mDNS" \
    dst-address=224.0.0.251 dst-port=5353 \
    in-interface-list=MDNS-INTERFACES protocol=udp

My firewall rule for this - which works - is

add action=accept chain=input comment="Accept mdns" protocol=udp \
    src-address-list="Private Networks" src-port=5353

mDNS is covered here in Mikrotik documentation [at the bottom] and you seem to have got the placement right.

However, I have defined my networks under [IP -> Firewall -> Address Lists]

/ip firewall address-list
add address=192.168.0.0/16 list="Guest Networks"
add address=10.0.0.0/8 list="Local Networks"
add address=172.16.0.0/12 list="Private Networks"

Thanks for your response.

So, I bet that my rule should work like yours. You are using address lists and I am using interface lists, but it is essentially the same. (Mine specify the dst-address 224.0.0.251 too)

There is a difference in either using the src or dst port.

You have dst-port=5353. I have src-port-5353. I think that might break yours.

You are right! I missed that.

I am not so sure about that. I never had much joy playing with interface lists and I came to the conclusion that as I only needed the networks defined and named for the firewall it was better to use address lists which are defined close to the firewall.

I did using your approach of address lists now.

/ip firewall address-list
add address=192.168.10.0/24 list="vlan-home"
add address=192.168.20.0/24 list="vlan-iot"
add address=192.168.30.0/24 list="vlan-guest"

So, if I want to have mDNS between my vlan-home and my vlan-iot, I should use this rule?

add action=accept chain=input comment="allow-mDNS" protocol=udp \
    src-address-list="vlan-iot" src-port=5353

That looks about right. But looking at your mdns repeaters

I question the wisdom of repeating between vlan-guest and the other vlans.

I also question using the same names for the address lists and the vlan interfaces. They probably won't be confused by RouterOS [no guarantees], but for your own sanity, you might want to rename the address lists something like this:

/ip firewall address-list
add address=192.168.10.0/24 list="vlan-home.addresses"
add address=192.168.20.0/24 list="vlan-iot.addresses"
add address=192.168.30.0/24 list="vlan-guest.addresses"

Yes, I finally left it as follows:

/ip dns
set mdns-repeat-ifaces=vlan-home,vlan-iot

I think it’s working properly. I added logging to the firewall rule and saw these lines in the log:

mDNS input: in:vlan-iot out:(unknown 0), connection-state:new src-mac 70:EE:50:8F:CB:XX, proto UDP, 192.168.20.251:5353->224.0.0.251:5353, len 306

mDNS input: in:vlan-iot out:(unknown 0), connection-state:new src-mac 70:EE:50:8F:CB:XX, proto UDP, 192.168.20.251:5353->192.168.20.1:5353, len 265

This IP is my Netatmo thermostat connected to iot wifi.

I didn't think to do that. I have a linux box on my general LAN and I can see what mDNS is doing with this:

avahi-browse -a -v -r