Mullvad wireguard on existing VLAN

RouterOS General
1

i’ve added a mullvad interface with a new VLAN to my RB4011 by this tutorial: https://scholz.ruhr/blog/mullvad-as-second-wan-on-mikrotik/
all works, vlan60 connects with the vpn and i can see that my ip uses the ip of the mullvad vpn (sweden in this case )

this is a good start, but what i want is some of my other vlans to 1) remain accessible internally and 2) connect to the outside through the VPN
for some reason, i can’t have vlan120 use the vpn tunnel which is being used by vlan60

not knowing where to start (and not having deep knowlegde of vlans and vpn :confused: ) , i’ve tried a couple of changes, for instance modifying the gateway and DNS servers of vlan120 to resemble those of vlan60 and changing the interface of vlan120 to the one vlan60 uses. all does not work

my config

# may/31/2023 14:29:15 by RouterOS 7.9.1
#
# model = RB4011iGS+
/interface bridge
add fast-forward=no ingress-filtering=no name=bridge-local vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name=ether1-WAN
set [ find default-name=ether2 ] comment=192.168.110.16 name=ether2-TV
set [ find default-name=ether3 ] name=ether3-Chromecast
set [ find default-name=ether6 ] comment=meterkast name=ether6-switch
set [ find default-name=ether7 ] comment="arcam SA30" name=ether7-arcam
set [ find default-name=ether9 ] name=ether9-RB260GSP
set [ find default-name=ether10 ] name=ether10-R500 poe-priority=1
set [ find default-name=sfp-sfpplus1 ] disabled=yes
/interface veth
add address=172.17.0.2/24 gateway=172.17.0.1 name=veth1
/interface wireguard
add comment=mullvad listen-port=4063 mtu=1420 name=mullvad-upstream
add listen-port=13231 mtu=1420 name=wireguard
/interface vlan
add comment=mullvad interface=bridge-local name=mullvad vlan-id=60
add interface=ether1-WAN name=vlan-internet vlan-id=300
add comment=servers interface=bridge-local name=vlan105 vlan-id=105
add comment="IOT network" interface=bridge-local name=vlan110 vlan-id=110
add comment="guest network" interface=bridge-local name=vlan120 vlan-id=120
/interface list
add comment="WAN interface" name=WAN
add name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip dhcp-server
add interface=vlan105 lease-time=10m name=dhcp-vlan105
/ip pool
add name=dhcp-local ranges=192.168.0.180-192.168.0.254
add name=pool-vlan110 ranges=192.168.110.180-192.168.110.249
add name=pool-vlan120 ranges=192.168.120.180-192.168.120.254
add comment=mullvad name=pool-vlan60 ranges=10.0.60.100-10.0.60.150
/ip dhcp-server
add address-pool=dhcp-local interface=bridge-local lease-time=5m name=\
    dhcp-local
add address-pool=pool-vlan110 interface=vlan110 lease-time=5m name=\
    dhcp-vlan110
add address-pool=pool-vlan120 interface=vlan120 lease-time=5m name=\
    dhcp-vlan120
add address-pool=pool-vlan60 comment=mullvad disabled=yes interface=mullvad \
    name=dhcp-vlan60
/port
set 0 name=serial0
set 1 name=serial1
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
add disabled=no name=default-v3 version=3
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
add disabled=yes instance=default-v3 name=backbone-v3
/routing table
add fib name=""
add comment=mullvad disabled=no fib name=mullvad
/container
add envlist=repeater_envs hostname=mdns-repeater interface=veth1 \
    start-on-boot=yes
/container envs
add key=REPEATER_INTERFACES name=repeater_envs value="eth0.110 eth0.120"
/interface bridge port
add bridge=bridge-local ingress-filtering=no interface=ether2-TV pvid=110
add bridge=bridge-local ingress-filtering=no interface=ether3-Chromecast \
    pvid=110
add bridge=bridge-local ingress-filtering=no interface=ether4 pvid=110
add bridge=bridge-local ingress-filtering=no interface=ether5 pvid=110
add bridge=bridge-local ingress-filtering=no interface=ether6-switch pvid=110
add bridge=bridge-local ingress-filtering=no interface=ether7-arcam pvid=110
add bridge=bridge-local ingress-filtering=no interface=ether9-RB260GSP
add bridge=bridge-local ingress-filtering=no interface=ether10-R500
add bridge=bridge-local ingress-filtering=no interface=sfp-sfpplus1
add bridge=bridge-local ingress-filtering=no interface=ether8
add bridge=bridge-local interface=veth1
/ip neighbor discovery-settings
set discover-interface-list=all
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set accept-redirects=no accept-router-advertisements=no disable-ipv6=yes \
    forward=no max-neighbor-entries=8192
/interface bridge vlan
add bridge=bridge-local tagged=\
    ether10-R500,ether9-RB260GSP,bridge-local,veth1 untagged=\
    ether2-TV,ether3-Chromecast,ether5,ether4,ether7-arcam,ether6-switch \
    vlan-ids=110
add bridge=bridge-local tagged=\
    ether10-R500,ether9-RB260GSP,bridge-local,veth1 vlan-ids=120
add bridge=bridge-local tagged=bridge-local,ether9-RB260GSP,ether4 vlan-ids=\
    105
add bridge=bridge-local comment=mullvad tagged=ether9-RB260GSP,bridge-local \
    vlan-ids=60
/interface list member
add interface=bridge-local list=LAN
add interface=vlan-internet list=WAN
/interface ovpn-server server
set auth=sha1,md5
/interface wireguard peers
add allowed-address=10.0.0.2/32 comment="mobile" interface=wireguard \
    public-key="xxx"
add allowed-address=10.0.0.3/32 comment="laptop" interface=wireguard \
    public-key="xxx"
add allowed-address=0.0.0.0/0,::/0 comment=mullvad endpoint-address=\
    185.213.154.68 endpoint-port=51820 interface=mullvad-upstream public-key=\
    "xxx"
/ip address
add address=192.168.0.1/24 interface=bridge-local network=192.168.0.0
add address=192.168.110.1/24 interface=vlan110 network=192.168.110.0
add address=192.168.120.1/24 interface=vlan120 network=192.168.120.0
add address=10.0.0.1/24 interface=wireguard network=10.0.0.0
add address=192.168.105.1/24 interface=vlan105 network=192.168.105.0
add address=10.0.60.1/24 comment=mullvad interface=mullvad network=10.0.60.0
add address=10.66.250.98 comment=mullvad interface=mullvad-upstream network=\
    10.124.0.152
/ip cloud
set ddns-enabled=yes ddns-update-interval=1d
/ip dhcp-client
add interface=vlan-internet use-peer-ntp=no
/ip dhcp-server lease
add address=192.168.110.80 client-id=1:2c:ab:33:9a:29:4 mac-address=\
    2C:AB:33:9A:29:04 server=dhcp-vlan110
add address=192.168.110.16 client-id=1:8c:79:f5:93:ef:14 mac-address=\
    8C:79:F5:93:EF:14 server=dhcp-vlan110
add address=192.168.110.17 client-id=1:c0:56:27:8f:d5:ea mac-address=\
    C0:56:27:8F:D5:EA server=dhcp-vlan110
add address=192.168.110.20 mac-address=44:09:B8:FE:EB:8C server=dhcp-vlan110
add address=192.168.110.59 comment="slp Ronald" mac-address=DC:4F:22:CB:07:2C \
    server=dhcp-vlan110
add address=192.168.110.62 comment=trap mac-address=DC:4F:22:FA:56:A1 server=\
    dhcp-vlan110
add address=192.168.110.60 comment=werkkamer mac-address=60:01:94:99:7A:26 \
    server=dhcp-vlan110
add address=192.168.110.61 comment="slp Zeb" mac-address=60:01:94:99:78:4D \
    server=dhcp-vlan110
add address=192.168.110.58 comment="wasmachine PoW r2" mac-address=\
    CC:50:E3:1A:F6:8B server=dhcp-vlan110
add address=192.168.110.50 comment=gateway mac-address=7C:49:EB:1C:F3:47 \
    server=dhcp-vlan110
add address=192.168.110.57 comment=s20 mac-address=B4:E6:2D:25:3F:73 server=\
    dhcp-vlan110
add address=192.168.110.51 comment=gang1 mac-address=60:01:94:D6:08:CB \
    server=dhcp-vlan110
add address=192.168.110.52 comment=gang2 mac-address=60:01:94:D6:C7:B3 \
    server=dhcp-vlan110
add address=192.168.110.63 comment=slpObi mac-address=DC:4F:22:C6:A5:22 \
    server=dhcp-vlan110
add address=192.168.110.18 client-id=1:0:11:32:d9:61:16 mac-address=\
    00:11:32:D9:61:16 server=dhcp-vlan110
add address=192.168.110.66 comment=voorraadkast mac-address=34:CE:00:9B:16:08 \
    server=dhcp-vlan110
add address=192.168.110.69 mac-address=54:48:E6:53:5A:87 server=dhcp-vlan110
add address=192.168.110.68 mac-address=64:90:C1:97:AB:E2 server=dhcp-vlan110
add address=192.168.110.67 mac-address=5C:E5:0C:E1:7B:F0 server=dhcp-vlan110
add address=192.168.110.70 mac-address=54:48:E6:51:C8:C0 server=dhcp-vlan110
add address=172.16.0.20 client-id=1:22:ae:66:87:2d:c3 disabled=yes \
    mac-address=22:AE:66:87:2D:C3 server=*A
add address=192.168.110.40 comment=OTGW mac-address=F4:CF:A2:ED:C2:4B server=\
    dhcp-vlan110
add address=192.168.0.10 client-id=1:e4:5f:1:70:90:93 comment="sensecap M1" \
    mac-address=E4:5F:01:70:90:93 server=dhcp-local
add address=192.168.110.71 mac-address=54:48:E6:53:59:BB server=dhcp-vlan110
add address=192.168.110.22 mac-address=A8:48:FA:E9:15:68 server=dhcp-vlan110
add address=192.168.110.5 client-id=1:ca:7a:a8:1a:6c:61 mac-address=\
    CA:7A:A8:1A:6C:61 server=dhcp-vlan110
add address=192.168.110.142 client-id=1:6a:3f:2d:31:84:4e comment=pixel6 \
    mac-address=6A:3F:2D:31:84:4E server=dhcp-vlan110
add address=192.168.110.24 mac-address=18:FE:34:CF:74:17 server=dhcp-vlan110
add address=192.168.110.81 comment="alfen wallbox" mac-address=\
    3A:65:45:61:7E:46 server=dhcp-vlan110
add address=192.168.110.55 comment="AC werkkamer" mac-address=\
    60:01:94:0C:66:E1 server=dhcp-vlan110
add address=192.168.110.14 client-id=1:90:56:82:43:29:c4 mac-address=\
    90:56:82:43:29:C4 server=dhcp-vlan110
add address=192.168.110.15 client-id=1:0:1b:7c:8:3b:24 mac-address=\
    00:1B:7C:08:3B:24 server=dhcp-vlan110
add address=192.168.110.56 mac-address=40:F5:20:2D:29:DD server=dhcp-vlan110
/ip dhcp-server network
add address=10.0.60.0/24 comment=mullvad dns-server=100.64.0.23 gateway=\
    10.0.60.1
add address=192.168.0.0/24 dns-server=192.168.0.12,192.168.0.11 domain=local \
    gateway=192.168.0.1
add address=192.168.105.0/24 dns-server=192.168.0.12,192.168.0.11 domain=\
    local gateway=192.168.105.1 netmask=24
add address=192.168.110.0/24 dns-server=192.168.0.12,192.168.0.11 domain=\
    local gateway=192.168.110.1 netmask=24
add address=192.168.120.0/24 dns-server=192.168.0.12,192.168.0.11 domain=\
    local gateway=192.168.120.1 netmask=24
/ip dns
set cache-max-ttl=1d
/ip firewall address-list
add address=192.168.100.0/24 list=localNet
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 list=not_in_internet
add address=192.168.0.0/16 list=not_in_internet
add address=169.254.0.0/16 list=not_in_internet
add address=127.0.0.0/8 list=not_in_internet
add address=224.0.0.0/4 list=not_in_internet
add address=198.18.0.0/15 list=not_in_internet
add address=192.0.0.0/24 list=not_in_internet
add address=192.0.2.0/24 list=not_in_internet
add address=198.51.100.0/24 list=not_in_internet
add address=203.0.113.0/24 list=not_in_internet
add address=100.64.0.0/10 list=not_in_internet
add address=240.0.0.0/4 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=\
    not_in_internet
add address=255.255.255.255 list=lan_ip
add address=192.168.0.0/24 comment="Trusted LAN " list=trusted-LAN
add address=192.168.110.0/24 list="untrusted VLAN"
add address=192.168.120.0/24 list="untrusted VLAN"
add address=192.168.0.0/16 list=mynetwork
add address=192.168.0.12 list=pihole
add address=172.16.0.0/12 list="untrusted VLAN"
add address=10.0.0.0/24 list=vpn
add address=192.168.0.10 disabled=yes list=extDNS
add address=172.16.0.20 disabled=yes list=extDNS
add address=192.168.0.128 disabled=yes list=extDNS
add address=192.168.105.0/24 list="untrusted VLAN"
add address=192.168.110.105 comment=homeassistant list=acl_postgres
add address=192.168.110.107 comment=teslamate list=acl_postgres
add address=192.168.110.118 comment=miniflux list=acl_postgres
add address=192.168.110.104 comment=grafana list=acl_influx
add address=192.168.110.105 comment=homeassistant list=acl_influx
add address=192.168.110.107 comment=teslamate list=acl_influx
add address=192.168.110.104 comment=grafana list=acl_postgres
add address=192.168.0.1 comment=snmp list=infra
add address=192.168.0.2 comment=snmp list=infra
add address=192.168.0.5 comment=snmp list=infra
add address=172.21.0.2 comment=docker list=acl_mariadb
add address=192.168.110.216 list=acl_influx
add address=192.168.0.183 list=acl_influx
add address=192.168.110.5 comment=docker list=acl_postgres
add address=192.168.0.11 list=pihole
add address=192.168.110.103 comment=spotweb list=acl_postgres
add address=192.168.110.119 comment=invidious list=acl_postgres
/ip firewall filter
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related disabled=yes hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=forward comment="servers to LAN" dst-address-list=\
    mynetwork in-interface=vlan105
add action=accept chain=forward comment=postgres dst-address=192.168.105.11 \
    dst-port=5432 protocol=tcp src-address-list=acl_postgres
add action=accept chain=forward comment=influxdb dst-address=192.168.105.12 \
    dst-port=8086 protocol=tcp src-address-list=acl_influx
add action=accept chain=forward comment=mysql disabled=yes dst-address=\
    192.168.105.15 dst-port=3306 protocol=tcp
add action=accept chain=input comment="telegraf snmp" dst-address=192.168.0.1 \
    protocol=udp src-address=192.168.105.14
add action=accept chain=forward comment="telegraf snmp" dst-address-list=\
    infra protocol=udp src-address=192.168.105.14
add action=accept chain=input comment="api access from homeassistant" \
    dst-port=8728 protocol=tcp src-address=192.168.110.105
add action=accept chain=forward dst-address=192.168.120.0/24 protocol=tcp \
    src-address=192.168.110.105
add action=accept chain=forward dst-address=192.168.120.0/24 protocol=udp \
    src-address=192.168.110.105
add action=accept chain=forward comment="VLAN DNS" dst-address-list=pihole \
    dst-port=53 protocol=udp src-address-list="untrusted VLAN"
add action=accept chain=forward comment="VLAN DNS" dst-address-list=pihole \
    dst-port=53 protocol=tcp src-address-list="untrusted VLAN"
add action=accept chain=forward comment="sensecap M1" disabled=yes \
    dst-address=192.168.0.10 dst-port=44158 protocol=tcp src-port=44158
add action=accept chain=input comment=wireguard dst-port=13231 log-prefix=\
    wireguard protocol=udp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=forward comment="Accept from VPN to LAN" \
    connection-state=established,related dst-address-list="untrusted VLAN" \
    src-address-list=vpn
add action=drop chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=forward comment="Drop from VLAN to LAN" \
    connection-state=!established dst-address-list=trusted-LAN \
    src-address-list="untrusted VLAN"
add action=drop chain=forward comment="Drop from VLAN to VLAN" \
    dst-address-list="untrusted VLAN" src-address-list="untrusted VLAN"
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=input comment="defcon: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
/ip firewall mangle
add action=mark-routing chain=prerouting comment=mullvad in-interface=mullvad \
    new-routing-mark=mullvad
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment="redirect port for Sensecap M1" \
    disabled=yes dst-port=44158 protocol=tcp to-addresses=192.168.0.10 \
    to-ports=44158
add action=dst-nat chain=dstnat comment="bypass pihole" disabled=yes \
    dst-port=53 protocol=udp src-address-list=extDNS to-addresses=1.1.1.1
add action=dst-nat chain=dstnat comment="bypass pihole" disabled=yes \
    dst-port=53 protocol=tcp src-address-list=extDNS to-addresses=1.1.1.1
add action=masquerade chain=srcnat comment=mullvad out-interface=\
    mullvad-upstream
/ip route
add comment=mullvad disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    10.124.0.152 pref-src="" routing-table=mullvad scope=30 \
    suppress-hw-offload=no target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip traffic-flow
set active-flow-timeout=1m cache-entries=64k
/ip upnp
set enabled=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
add address=::224.0.0.0/100 comment="defconf: other" list=bad_ipv6
add address=::127.0.0.0/104 comment="defconf: other" list=bad_ipv6
add address=::/104 comment="defconf: other" list=bad_ipv6
add address=::255.0.0.0/104 comment="defconf: other" list=bad_ipv6
/ipv6 nd
set [ find default=yes ] disabled=yes
/routing rule
add action=lookup-only-in-table comment=mullvad routing-mark=mullvad table=\
    mullvad
/snmp
set enabled=yes trap-generators="" trap-version=2
/system clock
set time-zone-name=Europe/Amsterdam
/system identity
set name="MikroTik RB4011iGS+RM"
/system logging
add topics=dns
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=64.99.80.121
add address=20.101.57.9
/system resource irq rps
set sfp-sfpplus1 disabled=no
/system scheduler
add interval=1w name=run-7d on-event=backup policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=aug/19/2021 start-time=09:07:12
/system script
add dont-require-permissions=no name=backup owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="backupscript"
/tool bandwidth-server
set enabled=no
/tool graphing
set page-refresh=60
/tool netwatch
add comment="update DNS when Ubound is down" disabled=no down-script="updatedns"
2

Fair enough, it can seem daunting but to avoid chasing thoughts, a coherent plan is required.
Provide a diagram that shows the equipment and vlans flowing between them.
List your requirements
a. identify users/devices groups of users/devices ( vlans, single devices, admin etc…)
b. identity what you want them to be able to achieve in terms of traffic flow.

Once you do that I am willing to look at the config and make some coherent suggestions…

3

here’s a try at a diagram of the network

current setup simplified
vlan-internet: internet connection to my ISP
vlan1: management network, only accessible for myself
vlan105: database servers. only accessible by admin
vlan110: all sorts of services and devices (home assistant, radarr, sonarr, LMS, nodered, teslamate, Television, Amplifiers, etc) . some can connect to vlan105 through specified ports in the firewall
vlan120: guest network, for guests. no access to other vlans
vlan60: test for Mullvad Wireguard VPN

access point 1: admin on vlan1
access point 2: normal users on vlan110
access point 3: guest users on vlan120

i have a wireguard server on the RB4011, which gives access to vlan105,vlan110,vlan120. My phone has a always-on wireguard connection with my home
iprange 10.0.0.x

at this moment, vlan60 is connected to mullvad vpn. this is working. i also got a container in proxmox that is connected through vlan60 to mullvad VPN

what i want
instead of vlan60, i would like vlan110 to connect to the internet through mullvad wireguard, so netflix, radarr, etc (tv and proxmox containers) are behind the VPN
vlan60 is just a test and should be removed after vlan110 has connection to Mullvad
also, vlan110 should remain accessible from within my network through wifi, as it is now and still be able to connect to vlan105 for specific connections (eg. database)

hope this makes more clear. if there is more info needed i will provide
network.png

4

Yeah, I dont do vlan1, ONce I go vlans the only thing the bridge does is bridging, no dchp etc..
Also No, one does not attach wireguard to the bridge…

Besides that you have two wireguard interfaces on the go, one for home, one for mulvvad sweden.
You want vlan110 to use sweden vpn and thats the only vlan…

You mention a promox container currently on vlan60, a vlan you want to get rid of so whats the plan for the promox container,
What purpose is the container, ( not familiar with promox device) also its shown on the diagram on vlan1 not vlan60?

Also you fail to mention you also have a container on the router itself, what is that for??

5

Modified
/interface vlan
add interface=ether1-WAN name=vlan-internet vlan-id=300
add comment=servers interface=bridge-local name=vlan105 vlan-id=105
add comment=“IOT network” interface=bridge-local name=vlan110 vlan-id=110
add comment=“guest network” interface=bridge-local name=vlan120 vlan-id=120
**add comment=“mgmt network” interface=bridge-local name=Mvlan5 vlan-d=**5

/ip pool
add name=dhcp-local ranges=192.168.0.180-192.168.0.254
add name=pool-vlan110 ranges=192.168.110.180-192.168.110.249
add name=pool-vlan120 ranges=192.168.120.180-192.168.120.254
add name=pool-vlan105 ranges=192.168.105.180-192.168.105.185****
/ip dhcp-server
add interface=vlan105 lease-time=10m name=dhcp-vlan105
add address-pool=dhcp-local interface=Mvlan5 lease-time=5m name=
dhcp-local
add address-pool=pool-vlan110 interface=vlan110 lease-time=5m name=
dhcp-vlan110
add address-pool=pool-vlan120 interface=vlan120 lease-time=5m name=
dhcp-vlan120
add address-pool=pool-vlan105 comment=server lease-time=10m interface=vlan105
name=dhcp-vlan105

/interface bridge port
add bridge=bridge-local ingress-filtering=yes frame-types=admit-priority-and-untagged interface=ether2-TV pvid=110
add bridge=bridge-local ingress-filtering=yes frame-types=admit-priority-and-untagged interface=ether3-Chromecast
pvid=110
add bridge=bridge-local ingress-filtering=no interface=ether4 pvid=110 ( hybrid port )
add bridge=bridge-local ingress-filtering=yes frame-types=admit-priority-and-untagged interface=ether5 pvid=110 ( access port )
add bridge=bridge-local ingress-filtering=yes frame-types=admit-priority-and-untagged interface=ether6-switch pvid=110 ( access port )
add bridge=bridge-local ingress-filtering=yes frame-types=admit-priority-and-untagged interface=ether7-arcam pvid=110 ( access port )
add bridge=bridge-local ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=ether9-RB260GSP ( trunk port )
add bridge=bridge-local ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=ether10-R500 ( trunk port )
add bridge=bridge-local ingress-filtering=yes frame-types=admit-priority-and-untagged interface=sfp-sfpplus1 pvid=5 ( access port )
add bridge=bridge-local ingress-filtering=yes frame-types=admit-priority-and-untagged interface=ether8 pvid=5 ( access port )
add bridge=bridge-local interface=veth1
/interface list member
add interface=bridge-local list=LAN
add interface=vlan-internet list=WAN
add interface=wireguard list=LAN

/interface wireguard peers
add allowed-address=10.0.0.2/32 comment=“mobile” interface=wireguard
public-key=“xxx”
add allowed-address=10.0.0.3/32 comment=“laptop” interface=wireguard
public-key=“xxx”
add allowed-address=0.0.0.0/0 comment=mullvad endpoint-address=
185.213.154.68 endpoint-port=51820 interface=mullvad-upstream public-key=
“xxx” persistent-keep-alive=35s
/ip address
add address=192.168.0.1/24 interface=Mvlan5 network=192.168.0.0
add address=192.168.110.1/24 interface=vlan110 network=192.168.110.0
add address=192.168.120.1/24 interface=vlan120 network=192.168.120.0
add address=10.0.0.1/24 interface=wireguard network=10.0.0.0
add address=192.168.105.1/24 interface=vlan105 network=192.168.105.0
add address=10.66.250.98**/24** comment=mullvad interface=mullvad-upstream network=
10.124.0.0
/ip dhcp-server network0.1
add address=192.168.0.0/24 dns-server=192.168.0.12,192.168.0.11 domain=local
gateway=192.168.0.1
add address=192.168.105.0/24 dns-server=192.168.0.12,192.168.0.11 domain=
local gateway=192.168.105.1 netmask=24
add address=192.168.110.0/24 dns-server=DNS PROVIDED BY MULLVAD domain=
local gateway=192.168.110.1 netmask=24
add address=192.168.120.0/24 dns-server=192.168.0.12,192.168.0.11 domain=
local gateway=192.168.120.1 netmask=24

/ip route
add comment=mullvad disabled=no distance=1 dst-address=0.0.0.0/0 gateway=
mullvad-upstream pref-src=“” routing-table=mullvad scope=30
suppress-hw-offload=no target-scope=10

/routing rule
add action=lookup-only-in-table comment=“local traffic” dst-address=192.168.0.0/16 table=main
add action=lookup-only-in-table comment=“response to wireguard” dst-address-=10.0.0.0/24 table=main
add action=lookup-only-in-table comment=mullvad src-address=192.168.110.0/24 table=mullvad

/ip firewall mangle
add action=mark-routing chain=prerouting comment=mullvad in-interface=mullvad
new-routing-mark=mullvad DISABLED=YES mangling NOT required!!!
/ip firewall nat
add action=masquerade chain=srcnat comment=“defconf: masquerade”
ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment=Sweden-vpn out-interface=mullvad-upstream

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++

KEEEP UR PHUCKING RULE CHAINS TOGETHER…

/ip firewall filter
add action=accept chain=input comment=
“defconf: accept established,related,untracked” connection-state=
established,related,untracked
add action=drop chain=input comment=“defconf: drop invalid”
connection-state=invalid
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=accept chain=input comment=
“defconf: accept to local loopback (for CAPsMAN)” dst-address=127.0.0.1
add action=accept chain=input comment=wireguard dst-port=13231 log-prefix=
wireguard protocol=udp
add action=accept chain=input comment=“api access from homeassistant”
dst-port=8728 protocol=tcp src-address=192.168.110.105
add action=accept chain=input comment=“telegraf snmp” dst-address=192.168.0.1
protocol=udp src-address=192.168.105.14
add action=drop chain=input comment=“defcon: drop all not coming from LAN”
in-interface-list=!LAN
+++++++++++++++++++++++++++++++++++++++++++++++++

YOUR FORWARD CHAIN IS A COMPLETE MESS.
NOTE: DNS issues are not dealt with in the forward chain but in the NAT chain! You didnt mention pi-hole in the requirements…
All you do is provide allow traffic here, and then block all else with a DROP rule.
So allow LAn to WAN traffic,
Allow users to a DNS source for example ( if there is a DNS server and thats just part of other places you will need to make dns changes if so)
Allow port forwarding for example
Allow a certain VLAN to vpn sweden for example.
ANY other specific allow rules.
DONE.

( get rid of the default rule → defconf: drop all from WAN not DSTNATed )
Example…
/ip firewall
{default rules}
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack”
connection-state=established,related disabled=NO hw-offload=yes
add action=accept chain=forward comment=
“defconf: accept established,related, untracked” connection-state=
established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid”
connection-state=invalid
{admin rules}
add action=accept chain=forward comment=“internet traffic” in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment=“wireguard admin to vlans” in-interface=wireguard out-interface-list=LAN
add action=accept chain=forward comment=“allow port forwarding” connection-nat-state=dstnat
add action=accept chain=forward comment=“allow vpn sweden” in-interface=vlan110 out-interface=mullvad-upstream
ANY OTHER ALLOW RULES YOU NEED
add action=stop chain=forward comment=“drop all else”
Note: no need to add any drop rules…

6

thx for the help!
Proxmox is a virtual environment (VE) that is a type-1 hypervisor and it’s based on Debian GNU/Linux.
the container vlan60 is just for testing. there are other containers running on proxmox, for instance Radarr, HomeAssistant, LMS (logitech media server) but also influx and postgres.
some of them are on vlan105 others vlan110

the container on the router itself is an mDns container to make the arcam SA30 amplifier and Chromecast visible in other vlans than vlan110

i did forget to mention 2 piholes. (192.168.0.12 and 192.168.0.11) as dns servers for all networks. (except vlan110 when it is connected to mullvad vpn)

i’m going to test the changes friday when there is no one at home so i can try without bothering others in my house :slight_smile:

7

Why do you need two piholes?

8

For backup.
One is on a raspberry pi, the other runs in a container on the proxmox server

9

i’ve tried combining setting up the router with a new config together with the provide config, but somehow after that a lot goes wrong :open_mouth:

  • if i connect wired to ether5, i can’t access the router, nor do i get an ip address. only way to get access is by lan ether4 (because it’s not configured yet i can access it through Romon)
  • devices connected to the routers ethernet ports don’t get an ip address (ether-2 pvid 110, ether3, ether6, ether7)
  • somehow the devices connected to the switch (which is connected to ether6) are accessible



/interface bridge
add name=bridge-local vlan-filtering=yes

/interface ethernet
set [ find default-name=ether1 ] name=ether1-WAN
set [ find default-name=ether2 ] comment=192.168.110.16 name=ether2-TV
set [ find default-name=ether3 ] name=ether3-Chromecast
set [ find default-name=ether6 ] comment=meterkast name=ether6-switch
set [ find default-name=ether7 ] comment="arcam SA30" name=ether7-arcam
set [ find default-name=ether9 ] name=ether9-RB260GSP
set [ find default-name=ether10 ] name=ether10-R500 poe-priority=1
set [ find default-name=sfp-sfpplus1 ] disabled=yes

/interface veth
add address=172.17.0.2/24 gateway=172.17.0.1 name=veth1

/interface vlan
add comment="ISP" interface=ether1-WAN name=vlan-internet vlan-id=300
add comment="servers" interface=bridge-local name=vlan105 vlan-id=105
add comment="IOT network" interface=bridge-local name=vlan110 vlan-id=110
add comment="guest network" interface=bridge-local name=vlan120 vlan-id=120
add comment="mgmt network" interface=bridge-local name=Mvlan5 vlan-id=5

/interface wireguard
add comment=mullvad listen-port=4063 mtu=1420 name=mullvad-upstream private-key="xxx"
add listen-port=13231 mtu=1420 name=wireguard private-key="xxx"

/interface wireguard peers
add allowed-address=10.0.0.2/32 comment="mobiel ronald" interface=wireguard public-key="xxx"
add allowed-address=10.0.0.3/32 comment="carbon x1" interface=wireguard public-key="xxx"
add allowed-address=0.0.0.0/0 comment=mullvad endpoint-address=185.213.154.68 endpoint-port=51820 interface=mullvad-upstream public-key="xxx" persistent-keepalive=35s

/interface list
add comment="WAN interface" name=WAN
add comment="LAN interface" name=LAN

/interface list member
add interface=bridge-local list=LAN
add interface=vlan-internet list=WAN
add interface=wireguard list=LAN

/ip pool
add name=dhcp-local ranges=192.168.0.180-192.168.0.254
add name=pool-vlan105 ranges=192.168.105.180-192.168.105.249
add name=pool-vlan110 ranges=192.168.110.180-192.168.110.249
add name=pool-vlan120 ranges=192.168.120.180-192.168.120.190

/ip address
add address=192.168.0.1/24 interface=Mvlan5 network=192.168.0.0 comment=mgmt
add address=192.168.105.1/24 interface=vlan105 network=192.168.105.0 comment=servers
add address=192.168.110.1/24 interface=vlan110 network=192.168.110.0 comment=iot
add address=192.168.120.1/24 interface=vlan120 network=192.168.120.0 comment=guest
add address=10.0.0.1/24 interface=wireguard network=10.0.0.0 comment=vpn
add address=10.66.250.98/24 interface=mullvad-upstream network=10.124.0.0 comment=mullvad

/ip dhcp-server
add address-pool=dhcp-local comment=mgmt interface=Mvlan5 lease-time=5m name=dhcp-local
add address-pool=pool-vlan105 comment=servers interface=vlan105 lease-time=10m name=dhcp-vlan105
add address-pool=pool-vlan110 comment=iot interface=vlan110 lease-time=5m name=dhcp-vlan110
add address-pool=pool-vlan120 comment=guest interface=vlan120 lease-time=5m name=dhcp-vlan120

/ip dhcp-client
add interface=vlan-internet use-peer-ntp=no

/interface bridge port
add bridge=bridge-local ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=ether2-TV pvid=110
add bridge=bridge-local ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=ether3-Chromecast pvid=110
add bridge=bridge-local ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=ether5 pvid=5
add bridge=bridge-local ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=ether6-switch pvid=110
add bridge=bridge-local ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=ether7-arcam pvid=110
add bridge=bridge-local ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=ether9-RB260GSP
add bridge=bridge-local ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=ether10-R500
add bridge=bridge-local ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=sfp-sfpplus1 pvid=5
add bridge=bridge-local ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=ether8 pvid=5
add bridge=bridge-local interface=veth1

/ip dhcp-server network
add address=192.168.0.0/24 dns-server=192.168.0.12,192.168.0.11 domain=local gateway=192.168.0.1 netmask=24
add address=192.168.105.0/24 dns-server=192.168.0.12,192.168.0.11 domain=local gateway=192.168.105.1 netmask=24
add address=192.168.110.0/24 dns-server=192.168.0.12,192.168.0.11 domain=local gateway=192.168.110.1 netmask=24
add address=192.168.120.0/24 dns-server=192.168.0.12,192.168.0.11 domain=local gateway=192.168.120.1 netmask=24

/routing table
add fib name=""
add comment=mullvad disabled=no fib name=mullvad

/ip route
add comment=mullvad disabled=no distance=1 dst-address=0.0.0.0/0 gateway=mullvad-upstream pref-src="" routing-table=mullvad scope=30 suppress-hw-offload=no target-scope=10

/routing rule
add action=lookup-only-in-table comment="local traffic" dst-address=192.168.0.0/16 table=main
add action=lookup-only-in-table comment="response to wireguard" dst-address=10.0.0.0/24 table=main
add action=lookup-only-in-table comment=mullvad src-address=192.168.110.0/24 table=mullvad

/ip firewall mangle
add action=mark-routing chain=prerouting comment=mullvad in-interface=mullvad new-routing-mark=mullvad disabled=yes

/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment=Sweden-vpn out-interface=mullvad-upstream

/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment=wireguard dst-port=13231 log-prefix=wireguard protocol=udp
add action=accept chain=input comment="api access from homeassistant" dst-port=8728 protocol=tcp src-address=192.168.110.105
add action=accept chain=input comment="telegraf snmp" dst-address=192.168.0.1 protocol=udp src-address=192.168.105.14
add action=drop chain=input comment="defcon: drop all not coming from LAN" in-interface-list=!LAN
 
/ip firewall filter
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related disabled=no hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward comment="internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="wireguard admin to vlans" in-interface=wireguard out-interface-list=LAN
add action=accept chain=forward comment="allow port forwarding" connection-nat-state=dstnat
add action=accept chain=forward comment="allow vpn sweden" in-interface=vlan110 out-interface=mullvad-upstream
10

OKay, the config is looking good, now I guessed on the functionality of ports a bit, so lets clarify them to ensure its accurate.

WAN ether1 - is your WAN port (v300)
(access port) ether2 - goes to a dumb device ( TV - 110 )
(access port) ether3 - goes to a dumb device ( media - 110 )
(access port) ether5 - goes to a dumb device ( PC> 5 ) ADMIN?
(access port) ether6 - goes to a dumb device ( dumb switch - 110 )
(access port) ether7 - goes to a dumb device ( camera - 110 )
(access port) ether8 - goes to a dumb device ( PC> 5)
(trunk port) ether9 - goes to a smart device ( smart switch )
(trunk port) ether10 - goes to a smart device ( unknown )
(access port) sfp-sfpplus1 - goes to a dumb device ( PC> 5 ) ADMIN?

++++++++++++++++++++++++++++++++++++

MISSING is your config for
/interface bridge vlan ???

Also where is any mention of vlan120, Its not any of your bridge settings??
Where is ether4 (purpose) before it was down as a hybrid port, carrying 110 untagged and vlan 105 tagged??


+++++++++++++++++++++++++++++++++++++++++++++++++++


You forgot to change this line…
add address=192.168.110.0/24 dns-server=192.168.0.12,192.168.0.11 domain=local gateway=192.168.110.1 netmask=24

If 110 is truly going to go out mullvad for internet then you need to put the DNS enty(s) that mullvad gave you for their network here… ( and get rid of local setting ).

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Lets look at the logic…
add action=accept chain=input comment=“api access from homeassistant” dst-port=8728 protocol=tcp src-address=192.168.110.105
add action=accept chain=input comment=“telegraf snmp” dst-address=192.168.0.1 protocol=udp src-address=192.168.105.14
add action=drop chain=input comment=“defcon: drop all not coming from LAN” in-interface-list=!LAN

Reading the last rule, it says, drop anything TO THE ROUTER, unless its coming from the LAN.
If you agree with that, then the two rules above are not required, technically speaking as both sources are coming from the LAN. Leave them be as no harm no foul, that is working etc.. BUt just so you better understand how the rules work.

++++++++++++++++++++++++++++++++++++++++++++++++++++

11

most of the ports are right

ether5 is not used, i would like to assign that to vlan110
ether4 is not used, i would like to assign that to management vlan105
ether8 is not used, no porpose for that port
ether9 goes to a RB260gs switch (must provide vlan5, 105, 110 and 120)
ether10 goes to a Ruckus R500 wireless access point (must provide vlan5, 110 and 120)

can i add this for bridge vlan

/interface bridge vlan
add bridge=bridge-local tagged=ether10-R500,ether9-RB260GSP,bridge-local,veth1 untagged=ether2-TV,ether3-Chromecast,ether5,ether7-arcam,ether6-switch vlan-ids=110
add bridge=bridge-local tagged=ether10-R500,ether9-RB260GSP,bridge-local,veth1 vlan-ids=120
add bridge=bridge-local tagged=bridge-local,ether9-RB260GSP vlan-ids=105

i’ll remove the local domain from 192.168.110.0/24 and add mullvad dns

12

vlan 5 is your managment lan, vlan105 is your server lan,?

13

correct, my mistake.

14

Based on your latest feedback… I assumed the mistake was you wanted the server vlan on ether4, ( not the manament vlan ), if thats not the case…will have to modify…

/interface bridge port
add bridge=bridge-local ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=ether2-TV pvid=110
add bridge=bridge-local ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=ether3-Chromecast pvid=110
add bridge=bridge-local ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=ether4 pvid=105
add bridge=bridge-local ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=ether5 pvid=110
add bridge=bridge-local ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=ether6-switch pvid=110
add bridge=bridge-local ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=ether7-arcam pvid=110
add bridge=bridge-local ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=ether9-RB260GSP
add bridge=bridge-local ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=ether10-R500
add bridge=bridge-local interface=veth1

/interface bridge vlan
add bridge=bridge-local tagged=ether10-R500,ether9-RB260GSP,bridge-local,veth1 untagged=ether2-TV,ether3-Chromecast,ether5,ether7-arcam,ether6-switch vlan-ids=110
add bridge=bridge-local tagged=ether10-R500,ether9-RB260GSP,bridge-local,veth1 vlan-ids=120
add bridge=bridge-local tagged=ether10-R500,ether9-RB260GSP,bridge-local vlan-ids=5[/b]
add bridge=bridge-local tagged=bridge-local,ether9-RB260GSP untagged=ether4 vlan-ids=105


+++++++++++++++++++++++++
As for ether8 you could always use that for off bridge access and I highly recommend with complex bridge setups to do your configuring from this port, to avoid getting locked out at any time.

name it ether8-access
Give it an IP address
10.20.30.1/24 network=10.20.30.0 or whatever IP you want…
Then ensure its OFF the bridge.
Add it as a LAN interface member ether8-access.
Then ensure you can access it from winbox ( modify any rules as necessary )
You should be able to enter in an iPV4 setting on the pc, and gain access to the router via winbox.

Also always use safe mode!
https://forum.mikrotik.com/viewtopic.php?t=181718

15

If you meant ether4 should have vlan5 then it would look like…
/interface bridge port
add bridge=bridge-local ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=ether2-TV pvid=110
add bridge=bridge-local ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=ether3-Chromecast pvid=110
add bridge=bridge-local ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=ether4 pvid=5
add bridge=bridge-local ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=ether5 pvid=110
add bridge=bridge-local ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=ether6-switch pvid=110
add bridge=bridge-local ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=ether7-arcam pvid=110
add bridge=bridge-local ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=ether9-RB260GSP
add bridge=bridge-local ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=ether10-R500
add bridge=bridge-local interface=veth1

/interface bridge vlan
add bridge=bridge-local tagged=ether10-R500,ether9-RB260GSP,bridge-local,veth1 untagged=ether2-TV,ether3-Chromecast,ether5,ether7-arcam,ether6-switch vlan-ids=110
add bridge=bridge-local tagged=ether10-R500,ether9-RB260GSP,bridge-local,veth1 vlan-ids=120
add bridge=bridge-local tagged=ether10-R500,ether9-RB260GSP,bridge-local untagged=ether4 vlan-ids=5
add bridge=bridge-local tagged=bridge-local,ether9-RB260GSP vlan-ids=105

16

getting there, this is helping a lot!
the off bridge access was just implemented, so finally i don’t deny myself access anymore.
Before i had to hardware reset the router to default config for access :open_mouth:

one other question.
my wifi accesspoint is on ether10-R500
i have 3 wifi networks, one for vlan1, vlan110 and vlan120
the vlan110 and 120 networks i can connect to with wifi, but the vlan1 wifi i cannot.
should i change the settings of vlan1network to vlan5 ?
i should get an ipaddress
Screenshot_2023-06-04_22-12-45.png

17

YES!!! ( use v5)

Do not use vlan1 for traffic. ( clue, we do not have any ports carrying data on vlan1 )
Its always there in the background on smart devices on all trunk ports, and is only removed when one has a access port ( untagged pvid setting ).

18

for some reason, i can connect to the wifi access point on ether10-R500, but am unable to access the admin page 192.168.0.5

ether9-rb260gs is on vlan1 and is connected to a mikrotik switch (RB260GS). the switch has ip address 192.168.0.2
ether10-r500 is also on vlan1 and is connected to a Ruckus R500 Access Point, and should be accessible on ip address 192.168.0.5

the switch is accessible, but the access point is not ?

i tried to connect directly on the winbox console, and through a laptop which is connected to ether4-vlan5. both do connect to de switch, but not the AP

for a complete picture, i have 2 Ruckus accesspoints who are combined and create 3 wifi networks. (for every vlan a separate network)
the master AP is connected directly to the router (ether10-r500), the slave AP is connected to a port on the switch (RB260GS) which is connected to the router on port ether9-rb260gs. The master AP is also the controller for the wifi networks

19

i tried connecting to the wireless networks.

the vlan5 wireless network i get a connection to, but am unable to access the admin page (192.168.0.5)
the vlan110 network connects, even provides a connection to the internet (probably because it connects with the VPN)
the vlan120 network connects, has internet connection through DNS 192.168.0.11

20

There is no vlan1 for traffic or control.
Every smart device should be on vlan5 and get an IP from vlan5!!