I have the following network topology at home:
I want to follow this guide for setting up my WiFi to provide different networks on different VLANs.
My question is, how do I need to configure the PoE Switch in between to pass the tagged frames to the router? Currently, no VLAN settings are configured:
Ports 15 & 16 are configured as LAG and set to balance rr on Mikrotik side.
My CAPs are connected on ports 1 & 2.
Do I need to set them all to tagged?
Set up both VLANs as tagged on the LAG interface. If the access points are set up for tagging, set up the appropriate VLAN as tagged on the corresponding ports, otherwise as untagged, possibly by setting the PVID.
Different vendors have different approaches.
To setup vlan filtering on both RB4011 and CAP products use this guide: → http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1
Recommend for each MT device you do the config from a safe location, namely an off bridge port.
So in case of Caps, use ether2 off bridge, on RB4011 use ether8 and remove from /interface bridge port
/interface ethernet
set [ find default-name=etherX ] name=OffBridgeX
/interface list member
add interface=OffBridgeX list=LAN ( or trusted list )
/ip address
add address=192.168.77.1/30 interface=OffBridgeX network=192.168.77.0
Now all you need to do is plug in your laptop to the appropriate port X, change IPV4 settings to 192.168.77.2 and you should be in!!
++++++++++++++++++++
The RB4011 lets say has vlan10 home and vlan20 guests, and vlan10 is the trusted subnet and thus all smart devices should get an IP address on this subnet ( as per article above ).
Trunk port from RB4011 to Switch and trunk ports to both CAPs.
On the netgear switch all trunk ports retain vlan1 untagged on the port. PVID setting remains at 1 for these ports.
On the netgear switch all access ports ( going to dumb devices ) are untagged on that port going to the device and tagged for trunk ports. PVID is changed to relevant vlan ID.
On all MT devices
access ports on /interface bridge port settings have ingress-filtering=yes frame-types=admit-only-prioirity-and-untagged
trunk ports on /interface bridge port settings have ingress-filtering=yes frame-types=admit-only-vlan-tagged
Ref the diagram above. The only time you need to change settings for vlan 1, is to remove the untagging for any ports going to dumb devices associated with a different vlan id.
We dont use vlan1 in any settings on MT, it works in the background. Other wise leave the rest alone.
For each particular vlanID on the netgear switch, ensure its tagged for trunk ports if appropriate ( data needs to flow to the next smart device ) or if its the management vlan ( sometimes its also the trusted vlan) AND untagged if going to a dumb device for the appropriate vlan.
Be sure to set the management vlan if that is an option on the netgear to vlan10 in this case and it should get a fixed IP address on vlan10.
You mean ‘all trunk ports retain vlan10’, correct? Spelling mistake?
I am a bit confused by these two sentences. I have four trunk ports on the switch. Two going to the CAPs and two going to the router. The Switch with a separate router (RoaS) example from your link suggests to use tagging, if I am not mistaken.
# Purple Trunk. L2 switching only, Bridge not needed as tagged member (except BASE_VLAN 99)
add bridge=BR1 tagged=sfp1,sfp2 vlan-ids=10
add bridge=BR1 tagged=sfp1,sfp2 vlan-ids=20
add bridge=BR1 tagged=sfp1,sfp2 vlan-ids=30
add bridge=BR1 tagged=BR1,sfp1,sfp2 vlan-ids=99
Using two VLANs I should tag all trunk ports with both VLANs, no?
I was referring ONLY to the display vlan1, where you only change the port from U to Nothing (no affiliation) for any ports that are untagged (access ports for other vlans).
In addition you would need to change the pvid of that port from1 to the untagged port vlan id.
For review post pages for each vlan being used, the pvid page, the admin page showing the IP assigned to the switch etc.
My question is, how do I need to configure the PoE Switch in between to pass the tagged frames to the router?
Only for the switch as you asked at the beginning - first of all you have to add needed vlans with apriopriate VLAN ID’s. Than in the “VLAN Membership” page you need to change the letter from U (untagged) to T (tagged) on LAG interface and ports 1 & 2 (all trunks). This has to be done for all required VLAN’s.
EDIT: In the “Port PVID Configuration” the PVID for all that trunk ports should be 1.
Thanks for all the help so far! I haven’t had a change to try it out yet. There are members in the house very unhappy about the WiFi not being accessible. Will keep you posted, though!
Cannot be that unhappy, you posted on JAN 08, and only getting to it now??? Must have been in the hospital or on vacation.
Haha, no. In the past, when I tried to get the configuration of my VLANs right, I regularly locked myself out (and everyone else in the house). They are unhappy when I ‘play’ with the router and configuration.
My current config on the managed switch. Now with three VLANs (mgmt, home, guest):
What is the management vlan or trusted vlan, and do the capacs and switch get an IP address from this VLAN?
In other words do not see vlan99 above, and it should be going from rb4011 to both capacs as well.
The Netgear config looks okay but the virtual LAG interface also should be tagged (I cannot see it on screenshots) - I have to admit that I didn’t need to use LAG’s on Netgears so maybe it’s somehow done automatically.
But as anav have mentioned, the vlans ID’s are different from what you’ve paste earlier:
Is it working? And the Mikrotik config was just an example or was copied from another forum post or something?
You have posted screenshots but didn’t let us know about effect - that is rude… 
So far, I configured the switch only and testing with one Wi-Fi only while keeping the old non-VLAN setup on the side.
The CAPs are CAPsMANed. When connecting to the guest Wi-Fi, I cannot obtain IP address from the DHCP.
But I think the tagging of the LAG is a good pointer. Unfortunately, I couldn’t find any such configuration option in the Netgear UI so far.
My full router config:
# 2025-01-22 09:20:57 by RouterOS 7.17
# software id = REDACTED
#
# model = RB4011iGS+
# serial number = REDACTED
/interface bridge
add admin-mac=REDACTED auto-mac=no comment=defconf name=bridge \
vlan-filtering=yes
/interface ethernet
set [ find default-name=ether3 ] comment="b\C3\BCro"
set [ find default-name=ether6 ] comment=knx
/interface wireguard
add listen-port=13232 mtu=1420 name=jellyfin1
add listen-port=21841 mtu=1420 name=seedbox1
add listen-port=13231 mtu=1420 name=wireguard1
/interface vlan
add interface=bridge name=guest vlan-id=300
add interface=sfp-sfpplus1 name=sfpv7 vlan-id=7
/interface bonding
add mode=802.3ad name=nas slaves=ether7,ether8
add mode=balance-xor name=switch slaves=ether9,ether10 transmit-hash-policy=\
layer-2-and-3
/interface pppoe-client
add add-default-route=yes allow=pap,chap,mschap2 disabled=no interface=sfpv7 \
name=telekom use-peer-dns=yes user=REDACTED
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=GUEST
/interface wifi datapath
add bridge=bridge comment=defconf disabled=no name=capdp
add bridge=bridge comment=guest disabled=no name=guest-datapath vlan-id=300
/interface wifi security
add authentication-types=wpa2-psk,wpa3-psk connect-priority=0 disabled=no \
name=family-sec
add authentication-types=wpa2-psk,wpa3-psk disabled=no name=guest-sec
/interface wifi configuration
add channel.reselect-interval=10m..30m comment=family disabled=no mode=ap \
name=family security=family-sec security.connect-priority=0 .ft=yes \
.ft-over-ds=yes ssid=BuddhasBlessedBunch
add comment=guest country=Germany datapath=guest-datapath disabled=no mode=ap \
name=guest security=guest-sec ssid=BuddhasBlessedGuests
/ip kid-control
add disabled=yes mon=9h-21h name="Stop Internet "
/ip pool
add name=dhcp ranges=192.168.88.100-192.168.88.254
add name=mgmt ranges=192.168.90.100-192.168.90.254
add name=home ranges=192.168.91.100-192.168.91.254
add name=guest ranges=192.168.92.100-192.168.92.254
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-time=2h name=defconf
add address-pool=guest comment=guest interface=guest name=guest
/port
set 0 name=serial0
set 1 name=serial1
/system logging action
set 3 remote=nas.lan
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether1
add bridge=bridge interface=nas
add bridge=bridge interface=switch
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add interface=sfp-sfpplus1 list=WAN
add comment=wireguard interface=wireguard1 list=LAN
add comment=jellyfin interface=jellyfin1 list=LAN
add interface=sfpv7 list=WAN
add interface=telekom list=WAN
add interface=guest list=LAN
/interface ovpn-server server
add mac-address=REDACTED name=ovpn-server1
/interface wifi capsman
set ca-certificate=auto enabled=yes package-path="" require-peer-certificate=\
no upgrade-policy=suggest-same-version
/interface wifi provisioning
add action=create-dynamic-enabled comment=5ghz disabled=no \
master-configuration=family slave-configurations=guest supported-bands=\
5ghz-ax
add action=create-dynamic-enabled comment=2ghx disabled=no \
master-configuration=family slave-configurations=guest supported-bands=\
2ghz-ax
/interface wireguard peers
add allowed-address=192.168.87.10/32 client-address=192.168.87.10/32 \
client-dns=192.168.87.1 client-endpoint=REDACTED \
interface=wireguard1 name=pixel preshared-key=\
"REDACTED" private-key=\
"REDACTED" public-key=\
"zA3KVqkFdyeYs8SeH5bBty5q8a6aqZjHmywineHN0EQ="
add allowed-address=192.168.87.11/32 client-address=192.168.87.11/32 \
client-dns=192.168.87.1 client-endpoint=REDACTED \
interface=wireguard1 name=tuxedo preshared-key=\
"REDACTED" private-key=\
"REDACTED" public-key=\
"hYoazZbXFmbE148jFN8s6v0D3cRCkTawVtaaXySosEE="
add allowed-address=192.168.87.12/32 client-address=192.168.87.12/32 \
client-dns=192.168.87.1 client-endpoint=REDACTED \
interface=wireguard1 name=travelrouter preshared-key=\
"REDACTED" private-key=\
"REDACTED" public-key=\
"PaIB5Rp1hI1pRtadUrtSDAFEOI//urx6fhApJaZqrDM="
add allowed-address=192.168.87.13/32 client-address=192.168.87.13/32 \
client-dns=192.168.87.1 client-endpoint=REDACTED \
interface=wireguard1 name=iphone preshared-key=\
"REDACTED" private-key=\
"REDACTED" public-key=\
"FHB9LwPAgM7MoR2pSOqO1RnvaAXy77XkpJ4Mo62qPis="
add allowed-address=192.168.86.11/32 client-address=192.168.86.11/32 \
client-dns=192.168.86.1 client-endpoint=REDACTED \
interface=jellyfin1 name=rieckmanns preshared-key=\
"REDACTED" private-key=\
"REDACTED" public-key=\
"HJl4GXRRVzEdIlCNxw7c2k0oADNBxtkpxnT+C6h45Ss="
add allowed-address=0.0.0.0/0 endpoint-address=REDACTED endpoint-port=\
51026 interface=seedbox1 name=seedbox public-key=\
"Tq7MDaNyunVrfko5mLMWoN8rZ08hSJOCpJEPUfQcHVo="
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
192.168.88.0
add address=192.168.87.1/24 comment=wireguard interface=wireguard1 network=\
192.168.87.0
add address=10.102.6.2/24 comment=seedbox interface=seedbox1 network=\
10.102.6.0
add address=192.168.86.1/24 comment=jellyfin interface=jellyfin1 network=\
192.168.86.0
add address=192.168.1.2/24 comment=luleey interface=sfp-sfpplus1 network=\
192.168.1.0
add address=192.168.92.1/24 comment=guest interface=guest network=\
192.168.92.0
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.14 domain=\
lan gateway=192.168.88.1 netmask=24
add address=192.168.92.0/24 comment=guest dns-server=192.168.92.1 gateway=\
192.168.92.1
/ip dns
set allow-remote-requests=yes servers=9.9.9.9
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan type=A
add address=192.168.88.3 name=proxmox2.lan type=A
add address=192.168.88.5 name=zigbee2mqtt.lan type=A
add address=192.168.88.6 name=nas.lan type=A
add address=192.168.88.7 name=jellyfin.lan type=A
add address=192.168.88.8 name=syncthing.lan type=A
add address=192.168.88.11 name=box.lan type=A
add address=192.168.88.12 name=jellyseerr.lan type=A
add address=192.168.88.14 name=homeassistant.lan type=A
add address=192.168.88.16 name=flaresolverr.lan type=A
add address=192.168.88.17 name=zigbeecoordinator.lan type=A
add address=192.168.88.20 name=proxmox3.lan type=A
add address=192.168.88.21 name=proxmox.lan type=A
# bad CNAME data
add cname=nginx.lan. name=jellyfin.REDACTED type=CNAME
# bad CNAME data
add cname=nginx.lan. name=jellyseerr.REDACTED type=CNAME
# bad CNAME data
add cname=nginx.lan. name=radarr.REDACTED type=CNAME
# bad CNAME data
add cname=nginx.lan. name=sonarr.REDACTED type=CNAME
# bad CNAME data
add cname=homeassistant.lan. name=mqtt.lan type=CNAME
# bad CNAME data
add cname=homeassistant.lan. name=radarr.lan type=CNAME
# bad CNAME data
add cname=homeassistant.lan. name=sonarr.lan type=CNAME
# bad CNAME data
add cname=homeassistant.lan. name=prowlarr.lan type=CNAME
# bad CNAME data
add cname=homeassistant.lan. name=nginx.lan type=CNAME
/ip firewall address-list
add address=192.168.88.7 comment=jellyfin list=jellyfin
add address=192.168.88.12 comment=jellyseer list=jellyfin
add address=192.168.88.13 comment=nginx list=jellyfin
/ip firewall filter
add action=jump chain=forward comment="jump to kid-control rules" \
jump-target=kid-control
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="allow Wireguard" dst-port=13231 \
protocol=udp
add action=accept chain=input comment="allow Jellyfin (Wireguard)" dst-port=\
13232 protocol=udp
add action=accept chain=input comment="allow Seedbox (Wireguard )" dst-port=\
21841 protocol=udp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="allow jellyfin access only" \
dst-address-list=!jellyfin in-interface=jellyfin1
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=src-nat chain=srcnat comment=luleey dst-address=192.168.1.1 \
out-interface=sfp-sfpplus1 to-addresses=192.168.1.2
add action=masquerade chain=srcnat comment=luleey out-interface=sfp-sfpplus1
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment=seedbox out-interface=seedbox1
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip kid-control device
add mac-address=92:66:00:A0:AD:52 name="MacBook Pro " user="Stop Internet "
/ipv6 dhcp-client
add add-default-route=yes interface=telekom pool-name=pool-ipv6 request=\
prefix
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" \
dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=\
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=input comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=forward comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
/system clock
set time-zone-name=Europe/Berlin
/system identity
set name=Router
/system logging
add action=remote topics=critical,error,warning
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=0.de.pool.ntp.org
add address=1.de.pool.ntp.org
add address=2.de.pool.ntp.org
add address=3.de.pool.ntp.org
/system routerboard settings
set auto-upgrade=yes enter-setup-on=delete-key
/system scheduler
add comment=strato interval=1h name=dyndns on-event=\
"/system script run dyndns" policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=2024-10-20 start-time=17:57:15
/system script
add comment=strato dont-require-permissions=no name=dyndns owner=admin \
policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
source=":global ddnsuser \"REDACTED\"\
\n:global ddnspass \"REDACTED\"\
\n:global theinterface \"telekom\"\
\n:global ddnshost1 \"REDACTED\"\
\n\
\n:global ipddns\
\n:global ipfresh [/ip address get [find where interface=\$theinterface] v\
alue-name=address]\
\n\
\n:if ([ :typeof \$ipfresh ] = nil ) do={\
\n :log info (\"DynDNS: No ip address on \$theinterface.\")\
\n} else={\
\n :for i from=( [:len \$ipfresh] - 1) to=0 do={ \
\n :if ( [:pick \$ipfresh \$i] = \"/\") do={\
\n :set ipfresh [:pick \$ipfresh 0 \$i];\
\n }\
\n }\
\n :if (\$ipddns != \$ipfresh) do={\
\n :log info (\"DynDNS: IP-DynDNS = \$ipddns\")\
\n :log info (\"DynDNS: IP-Fresh = \$ipfresh\")\
\n :log info (\"DynDNS: Update IP needed. Sending UPDATE...!\")\
\n :global str1 \"/nic/update\\\?hostname=\$ddnshost1&myip=\$ipfresh\"\
\n /tool fetch address=dyndns.strato.com src-path=\$str1 user=\$ddnsuse\
r password=\$ddnspass mode=https dst-path=(\"/DynDNS.\$ddnshost1\")\
\n :delay 1\
\n :global str1 [/file find name=\"DynDNS.\$ddnshost1\"];\
\n /file remove \$str1\
\n :global ipddns \$ipfresh\
\n :log info \"DynDNS: IP updated to \$ipfresh!\"\
\n } else={\
\n :log info \"DynDNS: dont need changes\";\
\n }\
\n}"
/tool e-mail
set from="Router <mikrotik@REDACTED>" port=587 server=\
smtp.protonmail.ch tls=yes user=mikrotik@REDACTED
/tool graphing interface
add allow-address=192.168.88.0/24 interface=sfp-sfpplus1
add allow-address=192.168.88.0/24 interface=nas
add allow-address=192.168.88.0/24 interface=switch
/tool graphing resource
add allow-address=192.168.88.0/24
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
I just bought a new switch now. According to the Netgear community the current switch only partially supports VLAN management.
Will check in again once it arrived.
Isn’t it somoehow the problem of mismatch betwwen 100, 200, 300 VLANs in the switch and 10,20,30 in the router according to config snippets?
The first config snippet was from the guide anav posted. Not my config.
My config is a few posts above. Currently, I only have the VLAN 300 (guest) configured, since I wanted to start with it.
Ultimately, I want three VLANs:
Okay, coming back to this now with the new switch. I cannot make it work right now. Testing access to the guest WiFi and obtaining an IP address fails.
This is the current VLAN setup for the guest VLAN on the switch.
This is the current LAG setup on the switch.
From what I understand so far, this should be alright.
AP config:
# 2025-02-01 05:56:05 by RouterOS 7.17.1
# software id = REDACTED
#
# model = cAPGi-5HaxD2HaxD
# serial number = REDACTED
/interface bridge
add admin-mac=48:A9:8A:A2:9D:29 auto-mac=no comment=defconf name=bridgeLocal \
vlan-filtering=yes
/interface wifi datapath
add bridge=bridgeLocal comment=defconf disabled=no name=capdp
/interface wifi
# managed by CAPsMAN F4:1E:57:0D:41:A7%bridgeLocal, traffic processing on CAP
# mode: AP, SSID: BuddhasBlessedBunch, channel: 5500/ax/Ceee/D
set [ find default-name=wifi1 ] configuration.country=Germany .manager=\
capsman .mode=ap datapath=capdp disabled=no
# managed by CAPsMAN F4:1E:57:0D:41:A7%bridgeLocal, traffic processing on CAP
# mode: AP, SSID: BuddhasBlessedBunch, channel: 2412/ax/Ce
set [ find default-name=wifi2 ] configuration.country=Germany .manager=\
capsman .mode=ap datapath=capdp disabled=no
/interface bridge port
add bridge=bridgeLocal comment=defconf interface=ether1
add bridge=bridgeLocal comment=defconf interface=ether2
/interface bridge vlan
add bridge=bridgeLocal comment=guest tagged=bridgeLocal,ether1 vlan-ids=50
/interface ovpn-server server
add mac-address=FE:81:CE:1B:D8:03 name=ovpn-server1
/interface wifi cap
set caps-man-addresses=192.168.88.1 discovery-interfaces=bridgeLocal enabled=\
yes
/ip dhcp-client
add comment=defconf interface=bridgeLocal
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/system identity
set name="AP Hauswirtschaftsraum"
/system note
set show-at-login=no
/system routerboard settings
set auto-upgrade=yes
Router config:
# 2025-02-01 06:30:16 by RouterOS 7.17.1
# software id = REDACTED
#
# model = RB4011iGS+
# serial number = REDACTED
/interface bridge
add admin-mac=F4:1E:57:0D:41:A7 auto-mac=no comment=defconf name=bridge \
vlan-filtering=yes
/interface ethernet
set [ find default-name=ether3 ] comment="b\C3\BCro"
set [ find default-name=ether6 ] comment=knx
/interface wireguard
add listen-port=21841 mtu=1420 name=seedbox1
add listen-port=13231 mtu=1420 name=wireguard1
/interface vlan
add interface=sfp-sfpplus1 name=sfpv7 vlan-id=7
/interface bonding
add mode=802.3ad name=nas slaves=ether7,ether8
add mode=802.3ad name=switch slaves=ether9,ether10 transmit-hash-policy=\
layer-2-and-3
/interface pppoe-client
add add-default-route=yes allow=pap,chap,mschap2 disabled=no interface=sfpv7 \
name=telekom use-peer-dns=yes user=REDACTED
/interface vlan
add interface=switch name=guest vlan-id=50
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=GUEST
/interface wifi datapath
add bridge=bridge comment=defconf disabled=no name=capdp
add bridge=bridge comment=guest disabled=no name=guest-datapath vlan-id=50
/interface wifi security
add authentication-types=wpa2-psk,wpa3-psk connect-priority=0 disabled=no \
name=family-sec
add authentication-types=wpa2-psk,wpa3-psk disabled=no name=guest-sec
/interface wifi configuration
add channel.reselect-interval=10m..30m comment=family disabled=no mode=ap \
name=family security=family-sec security.connect-priority=0 .ft=yes \
.ft-over-ds=yes ssid=BuddhasBlessedBunch
add comment=guest country=Germany datapath=guest-datapath disabled=no mode=ap \
name=guest security=guest-sec ssid=BuddhasBlessedGuests
/ip pool
add name=dhcp ranges=192.168.88.100-192.168.88.254
add name=mgmt ranges=192.168.90.100-192.168.90.254
add name=home ranges=192.168.91.100-192.168.91.254
add name=guest ranges=192.168.50.100-192.168.50.254
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-time=2h name=defconf
add address-pool=guest comment=guest interface=guest name=guest
/port
set 0 name=serial0
set 1 name=serial1
/system logging action
set 3 bsd-syslog=yes remote=192.168.88.6 syslog-facility=syslog
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether1
add bridge=bridge interface=nas
add bridge=bridge interface=switch
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge comment=guest tagged=switch,bridge vlan-ids=50
/interface list member
add comment=defconf interface=bridge list=LAN
add interface=sfp-sfpplus1 list=WAN
add comment=wireguard interface=wireguard1 list=LAN
add comment=jellyfin interface=*13 list=LAN
add interface=sfpv7 list=WAN
add interface=telekom list=WAN
add interface=guest list=LAN
/interface ovpn-server server
add mac-address=FE:97:BD:F3:AB:5D name=ovpn-server1
/interface wifi capsman
set ca-certificate=auto enabled=yes package-path="" require-peer-certificate=\
no upgrade-policy=none
/interface wifi provisioning
add action=create-dynamic-enabled comment=5ghz disabled=no \
master-configuration=family slave-configurations=guest supported-bands=\
5ghz-ax
add action=create-dynamic-enabled comment=2ghx disabled=no \
master-configuration=family slave-configurations=guest supported-bands=\
2ghz-ax
/interface wireguard peers
add allowed-address=192.168.87.10/32 client-address=192.168.87.10/32 \
client-dns=192.168.87.1 client-endpoint=REDACTED \
interface=wireguard1 name=pixel preshared-key=\
"REDACTED" private-key=\
"REDACTED" public-key=\
"zA3KVqkFdyeYs8SeH5bBty5q8a6aqZjHmywineHN0EQ="
add allowed-address=192.168.87.11/32 client-address=192.168.87.11/32 \
client-dns=192.168.87.1 client-endpoint=REDACTED \
interface=wireguard1 name=tuxedo preshared-key=\
"REDACTED" private-key=\
"REDACTED" public-key=\
"hYoazZbXFmbE148jFN8s6v0D3cRCkTawVtaaXySosEE="
add allowed-address=192.168.87.12/32 client-address=192.168.87.12/32 \
client-dns=192.168.87.1 client-endpoint=REDACTED \
interface=wireguard1 name=travelrouter preshared-key=\
"REDACTED" private-key=\
"REDACTED" public-key=\
"PaIB5Rp1hI1pRtadUrtSDAFEOI//urx6fhApJaZqrDM="
add allowed-address=192.168.87.13/32 client-address=192.168.87.13/32 \
client-dns=192.168.87.1 client-endpoint=REDACTED \
interface=wireguard1 name=iphone preshared-key=\
"REDACTED" private-key=\
"REDACTED" public-key=\
"FHB9LwPAgM7MoR2pSOqO1RnvaAXy77XkpJ4Mo62qPis="
add allowed-address=0.0.0.0/0 endpoint-address=REDACTED endpoint-port=\
51026 interface=seedbox1 name=seedbox public-key=\
"Tq7MDaNyunVrfko5mLMWoN8rZ08hSJOCpJEPUfQcHVo="
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
192.168.88.0
add address=192.168.87.1/24 comment=wireguard interface=wireguard1 network=\
192.168.87.0
add address=10.102.6.2/24 comment=seedbox interface=seedbox1 network=\
10.102.6.0
add address=192.168.1.2/24 comment=luleey interface=sfp-sfpplus1 network=\
192.168.1.0
add address=192.168.50.1/24 comment=guest interface=guest network=\
192.168.50.0
/ip dhcp-server network
add address=192.168.50.0/24 comment=guest dns-server=192.168.50.1 gateway=\
192.168.50.1
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.14 domain=\
lan gateway=192.168.88.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=9.9.9.9 verify-doh-cert=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan type=A
add address=192.168.88.3 name=proxmox2.lan type=A
add address=192.168.88.4 name=myspeed.lan type=A
add address=192.168.88.5 name=zigbee2mqtt.lan type=A
add address=192.168.88.6 name=nas.lan type=A
add address=192.168.88.7 name=jellyfin.lan type=A
add address=192.168.88.8 name=syncthing.lan type=A
add address=192.168.88.9 name=paperless.lan type=A
add address=192.168.88.11 name=box.lan type=A
add address=192.168.88.12 name=jellyseerr.lan type=A
add address=192.168.88.14 name=homeassistant.lan type=A
add address=192.168.88.16 name=flaresolverr.lan type=A
add address=192.168.88.17 name=zigbeecoordinator.lan type=A
add address=192.168.88.20 name=proxmox3.lan type=A
add address=192.168.88.21 name=proxmox.lan type=A
add cname=nginx.lan name=jellyfin.REDACTED type=CNAME
add cname=nginx.lan name=jellyseerr.REDACTED type=CNAME
add cname=nginx.lan name=radarr.REDACTED type=CNAME
add cname=nginx.lan name=sonarr.REDACTED type=CNAME
add cname=nginx.lan name=myspeed.REDACTED type=CNAME
add cname=nginx.lan name=paperless.REDACTED type=CNAME
# bad CNAME data
add cname=homeassistant.lan. name=mqtt.lan type=CNAME
# bad CNAME data
add cname=homeassistant.lan. name=radarr.lan type=CNAME
# bad CNAME data
add cname=homeassistant.lan. name=sonarr.lan type=CNAME
# bad CNAME data
add cname=homeassistant.lan. name=prowlarr.lan type=CNAME
# bad CNAME data
add cname=homeassistant.lan. name=nginx.lan type=CNAME
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="allow Wireguard" dst-port=13231 \
protocol=udp
add action=accept chain=input comment="allow Seedbox (Wireguard )" dst-port=\
21841 protocol=udp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment=seedbox out-interface=seedbox1
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ipv6 dhcp-client
add add-default-route=yes interface=telekom pool-name=pool-ipv6 request=\
prefix
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" \
dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=\
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=input comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=forward comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
/system identity
set name=Router
/system logging
set 0 topics=info,!wireless
add action=remote topics=info
add action=remote topics=debug
add action=remote topics=warning
add action=remote topics=critical
add action=remote topics=error
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=0.de.pool.ntp.org
add address=1.de.pool.ntp.org
add address=2.de.pool.ntp.org
add address=3.de.pool.ntp.org
/system routerboard settings
set auto-upgrade=yes enter-setup-on=delete-key
/system scheduler
add comment=strato interval=1h name=dyndns on-event=\
"/system script run dyndns" policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=2024-10-20 start-time=17:57:15
/system script
add comment=strato dont-require-permissions=no name=dyndns owner=admin \
policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
source=":global ddnsuser \"REDACTED\"\
\n:global ddnspass \"REDACTED\"\
\n:global theinterface \"telekom\"\
\n:global ddnshost1 \"REDACTED\"\
\n\
\n:global ipddns\
\n:global ipfresh [/ip address get [find where interface=\$theinterface] v\
alue-name=address]\
\n\
\n:if ([ :typeof \$ipfresh ] = nil ) do={\
\n :log info (\"DynDNS: No ip address on \$theinterface.\")\
\n} else={\
\n :for i from=( [:len \$ipfresh] - 1) to=0 do={ \
\n :if ( [:pick \$ipfresh \$i] = \"/\") do={\
\n :set ipfresh [:pick \$ipfresh 0 \$i];\
\n }\
\n }\
\n :if (\$ipddns != \$ipfresh) do={\
\n :log info (\"DynDNS: IP-DynDNS = \$ipddns\")\
\n :log info (\"DynDNS: IP-Fresh = \$ipfresh\")\
\n :log info (\"DynDNS: Update IP needed. Sending UPDATE...!\")\
\n :global str1 \"/nic/update\\\?hostname=\$ddnshost1&myip=\$ipfresh\"\
\n /tool fetch address=dyndns.strato.com src-path=\$str1 user=\$ddnsuse\
r password=\$ddnspass mode=https dst-path=(\"/DynDNS.\$ddnshost1\")\
\n :delay 1\
\n :global str1 [/file find name=\"DynDNS.\$ddnshost1\"];\
\n /file remove \$str1\
\n :global ipddns \$ipfresh\
\n :log info \"DynDNS: IP updated to \$ipfresh!\"\
\n } else={\
\n :log info \"DynDNS: dont need changes\";\
\n }\
\n}"
/tool e-mail
set from="Router <mikrotik@REDACTED>" port=587 server=\
smtp.protonmail.ch tls=yes user=mikrotik@REDACTED
/tool graphing interface
add allow-address=192.168.88.0/24 interface=sfp-sfpplus1
add allow-address=192.168.88.0/24 interface=nas
add allow-address=192.168.88.0/24 interface=switch
/tool graphing resource
add allow-address=192.168.88.0/24
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
So if anyone dares to have a look here, I would appreciate it very much.
EDIT: To add a note. My goal here is to only configure a second SSID (guests) with gated access via VLAN at the moment. If I can understand how to properly configure it, I am confident to take it from there.
I didnt have to look far into your router, its missing vlans, only guest is identified.
Thanks for having another look!
Can I not have both VLAN traffic an non-VLAN traffic in the same network? My first goal is to only configure the guest VLAN properly, then take it from there.
I ran Torch on the AP:
I ran the same settings on the router and didn’t get any traffic.
I just created a guide for setting up InterVLAN routing on the MikroTik. I posted it in the user submitted articles section. Do a search on InterVLAN routing. I have about 16 VLANs I am using to route along with normal LAN traffic.