HI!

New to the Mikrotik Routerboard series, but not new to networking

I am planning to get more knowledge about Microtik Routers, currently using Draytek series routers on our bussiness customers.

See my attachement:
I need to built the following configuration: I have setup my Mikrotik Routerboard so the the device “laptop” connected to ETH 4 is using the internet connection connected to ETH 1
Laptop can do everything on the mighty internet.

The system connected to ETH 5 is my question:
This situation is placed in a so called bussiness center, different small bussinesses using the single powerfull internet connection in place.
I need VLAN separation, because on 2 of the 4 VLAN’s there are running file servers with Active Directory forests and other file and print services.
Since these 4 companies are not working toghether (4 separate bussinesses) i want them not to allow to access each other networks, but they must be able to use the powerfull internet connection.
Can someone give me some directions on how

to set this up?

Create the needed VLANs on Eth5 and give each VLAN interface a dedicated address (use separate subnets).
Build firewall rules in such a way that the traffic can only go outside
/ip firewall filter
add chain=forward in-interface=vlan-x out-interface=ether1 action=allow
add chain=forward in-interface=vlan-x out-interface=ether1 action=allow
add chain=forward in-interface=vlan-x out-interface=ether1 action=allow
add chain=forward action=drop
Also bear in mind your laptop and the input-chain.

On the switch side put the port connecting to the routerboard in trunk mode.
Assign needed ports to designated vlan.

The device “laptop” was just plugged in to manage the routerboard and configure it, and to see my initial setup was running as it shoud.
In the final setup the Routerboard and switch are placed behind locked door with our company owning the key.

The "device “laptop” is only for configuration and management. It iwll not stay in place.

I will try the steps you mentioned Rudios! thanx for the assistance so far!

Currently building the configuration.. It looks like it goes very well..
Im am running the configuration in the WebFig Menu.

2 Minor questions: I can add Vlan’s on 2 places :
Switch → Vlan
And Interdace → New → Vlan
Which one to use?

And in
Switch → Tab port, do i need to set Ether 5 in VLAN mode? (Enabled?)

You add VLAN interfaces in the interface menu for the router purposes as shown above.
The VLAN confguration in the switch is only for the switch itself, you can just leave it alone as this
means the switch is in fully transparent mode and passes on all traffic to your own VLAN switch.
In your case you can also detach ether5 from the switch (by setting parent interface to none) and
put the VLAN interfaces directly on ether5 (not ether2-master as you normally would do) and you
keep the built-in switch with ports 2/3/4 for future use. You can also keep the management network
on that so that you can always connect the laptop to manage the router no matter what is happening
on the other networks.

I think i am quiet on the way to get this running.

My current setup is:
Created the VLAN interdaces and gave them IP’s in different subnets.
eg:
Vlan 10 192.168.1.1/24

On the switch i have some ports added to VLAN 10, where the uplink to the routerboard has it’s port Tagged in VLAN 10

Currently i am missing something, The device laptop is now connected to the switch to one of the ports in vlan 10. That port is in untagged mode.
I am NOT able to run a succesfull ping to the routerboard (192.168.1.1)
Not setup the firewall rules yet, first wanting a working situation that my device “laptop” can use internet.

I had something working before adding the VLAN\s , The laptop was in the same range as the Original IP of the routerboard (192.168.88.x) The laptop was hooked up to the switch and using internet.

Do a

/export file=somename

From a telnet or ssh session to the router, then download the file from the files menu and post it here.

My running config

jan/11/2017 11:35:00 by RouterOS 6.38

software id = 4TQ6-LZFQ

/interface bridge
add admin-mac=D4:CA:6D:27:12:53 auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether2 ] name=ether2-master
set [ find default-name=ether3 ] master-port=ether2-master
set [ find default-name=ether4 ] master-port=ether2-master
set [ find default-name=ether5 ] master-port=ether2-master
/ip neighbor discovery
set ether1 discover=no
/interface vlan
add interface=ether5 name=“Bedrijf 2” vlan-id=20
add interface=ether5 name=“Bedrijf 3” vlan-id=30
add interface=ether5 name=“Bedrijf 4” vlan-id=1
add interface=ether5 name=GraafADV vlan-id=10
/interface wireless security-profiles
add authentication-types=wpa-psk,wpa2-psk management-protection=allowed mode=
dynamic-keys name=GraafWiFi wpa-pre-shared-key=xxxxxxxxxx
wpa2-pre-shared-key=xxxxxxxxxxxx
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce
country=netherlands disabled=no distance=indoors frequency=auto
ht-supported-mcs=“mcs-0,mcs-1,mcs-2,mcs-3,mcs-4,mcs-5,mcs-6,mcs-7,mcs-8,mc
s-9,mcs-10,mcs-11,mcs-12,mcs-13,mcs-14,mcs-15” mode=ap-bridge
security-profile=GraafWiFi ssid=“wifinetworkname”
wireless-protocol=802.11
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2-master
add bridge=bridge comment=defconf interface=wlan1
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2-master network=
192.168.88.0
add address=192.168.1.1/24 interface=GraafADV network=192.168.1.0
add address=192.168.2.1/24 interface=“Bedrijf 2” network=192.168.2.0
add address=192.168.3.1/24 interface=“Bedrijf 3” network=192.168.3.0
add address=192.168.4.1/24 interface=“Bedrijf 4” network=192.168.4.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=
ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=router
/ip firewall filter
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=accept chain=input comment=“defconf: accept established,related”
connection-state=established,related
add action=accept chain=forward in-interface=GraafADV out-interface=ether1
add action=drop chain=input comment=“defconf: drop all from WAN”
in-interface=ether1
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack”
connection-state=established,related
add action=accept chain=forward comment=“defconf: accept established,related”
connection-state=established,related
add action=drop chain=forward comment=“defconf: drop invalid”
connection-state=invalid
add action=drop chain=forward comment=
“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat
connection-state=new in-interface=ether1
/ip firewall nat
add action=masquerade chain=srcnat comment=“defconf: masquerade”
out-interface=ether1
/system clock
set time-zone-name=Europe/Amsterdam
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=bridge
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=bridge

Disable the master port assignment for port 5.

i have it working.
yesterday i was assisted by one of my friends who also owns a Mikrotik Routerboard (He has more devices like Mikrotik cloud cores etc.)

He indeed detached port 5 from the bridge. He concluded that the Basic setup which comes default with the Routerboard was causing me trouble.
The config what i did with the help here pressed me indeed very far in the right direction. Thanx for all your help!
(i have no reputation points already, so sadly i can’t add positive reputation points to your posts guys (or girls?? )

On the switch side it had gone wrong that the switches software made the uplink port hynrid. (HP5120-49G managed L3 switch)
It was changed from hybrid to trunk port mode.

The project is installed next week on the customers place. will install a brand new routerboard at my home short afterwards)

Thanx again!