What I ultimately want to achieve is:

WAN -> Internet (ether1, PPPoE)
HOME_LAN (ether2,ether3,ether4, SSID HOME)
WORK_LAN (ether5, SSID WORK, IPSEC VPN)

HOME_LAN and WORK_LAN must not be able to see each other, but must be able to access the internet.
WORK_LAN must also be able to route down a VPN.

I am trying to get my head around this still, so have been experimenting with a routerOS vm and some linux vms as clients. What I have so far is what seem to be isolated LANS and both able to access the internet.

My question is, is isolating the LANS using two bridges a legitimate / sensible setup given what I eventually want to achieve?

[admin@MikroTik] /interface bridge> /export

nov/29/2019 17:42:42 by RouterOS 6.45.7

software id =

/interface bridge
add name=bridge1_home
add name=bridge2_work
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=192.168.6.10-192.168.6.150
add name=dhcp_pool1 ranges=10.119.104.2-10.119.104.254
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=bridge1_home name=dhcp1
add address-pool=dhcp_pool1 disabled=no interface=bridge2_work name=dhcp2
/interface bridge port
add bridge=bridge1_home interface=ether2
add bridge=bridge1_home interface=ether3
add bridge=bridge2_work interface=ether4
/ip address
add address=192.168.6.1/24 interface=bridge1_home network=192.168.6.0
add address=10.119.104.1/24 interface=bridge2_work network=10.119.104.0
/ip dhcp-client
add disabled=no interface=ether1
/ip dhcp-server network
add address=10.119.104.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=10.119.104.1
add address=192.168.6.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.6.1
/ip firewall filter
add action=drop chain=forward in-interface=bridge1_home out-interface=bridge2_work
add action=drop chain=forward in-interface=bridge2_work out-interface=bridge1_home
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1 src-address=192.168.6.0/24
add action=masquerade chain=srcnat out-interface=ether1 src-address=10.119.104.0/24

Your setup seems fine. A few minor things:

• in the text you write you want to have ether1 part of HOME_LAN while in setup it’s not (and has DHCP client running as if it was still used as WAN interface, src-nat rules imply the same)
• you probably don’t need two masquerade rules, you can probably masquerade just anything going out through WAN interface

Why not use VLANs ?

WORK_LAN consists of one ether port, one wireless interface and one IPSEC interface. The mix won’t benefit from doing the whole stuff using VLANs (all of it would be handled by CPU even on CRS3xx). None of ports are trunk so no benefit of doing it with VLANs either. Doing it with two bridges doesn’t have any benefits either. Other than the fact that enabling vlan-filtering on bridge disables HW offload (except on CRS3xx), but current config allows it on bridge1_home, traffic between ether2 and ether3 will be handled by switch chip alone.

As OP did it already, I don’t see any good reason to tear current config apart. If I were doing it, I’d do it using VLANs though.

@Mehuge: I just remembered a thing which might be of concern in your case: bridge xan offload certain tasks to switching hardware. But it can only be done for ethernet interfaces and single bridge. The bridge2_work knly contains a single ether interface and thus can’t benefit from HW offload. To make sure that HW offload remains available for bridge1_home, set hw=no on line where ether4 gets added to bridge (add bridge=bridge2_work interface=ether4 hw=no).

@mkx i didnt read the whole post to be honest…

My mistake. I meant ether2,3,4 on HOME and 5 on WORK with ether1 being WAN

I wondered about that, makes sense.

TBH, I didn’t use VLANs because I could not find an example that seemed to fit with what I wanted to do.

Thanks, will add that.

Thanks for the input.