Network with external router and isolated bridge

Hi all,

I have a network with an external router, that shall also act as DHCP server. A CRS326 in RouterOS mode shall mostly just act as switch with the router connected to port 1. However there shall be a secondary, isolated bridge (network) on four ports with the CRS326 as DHCP server. All devices on the isolated bridge shall see each other and have internet access through the CRS326, but be strictly separated from the other ports. This is what I tried so far:

/interface bridge
add name=bridge-isolated
add name=bridge-main
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=pool-isolated ranges=192.168.100.100-192.168.100.200
/ip dhcp-server
add address-pool=pool-isolated disabled=no interface=bridge-isolated name=dhcp-isolated
/interface bridge port
add bridge=bridge-main interface=ether1
add bridge=bridge-main interface=ether2
add bridge=bridge-main interface=ether3
add bridge=bridge-main interface=ether4
add bridge=bridge-main interface=ether5
add bridge=bridge-main interface=ether6
add bridge=bridge-main interface=ether7
add bridge=bridge-main interface=ether8
add bridge=bridge-main interface=ether9
add bridge=bridge-main interface=ether10
add bridge=bridge-main interface=ether11
add bridge=bridge-main interface=ether12
add bridge=bridge-main interface=ether13
add bridge=bridge-main interface=ether14
add bridge=bridge-main interface=ether15
add bridge=bridge-main interface=ether16
add bridge=bridge-main interface=ether17
add bridge=bridge-main interface=ether18
add bridge=bridge-main interface=ether19
add bridge=bridge-main interface=ether20
add bridge=bridge-isolated interface=ether21
add bridge=bridge-isolated interface=ether22
add bridge=bridge-isolated interface=ether23
add bridge=bridge-isolated interface=ether24
/ip address
add address=192.168.100.1/24 interface=bridge-isolated network=192.168.100.0
/ip dhcp-client
add disabled=no interface=bridge-main
/ip dhcp-server network
add address=192.168.100.0/24 dns-server=192.168.100.1 gateway=192.168.100.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,1.1.1.1
/ip firewall filter
add action=drop chain=forward in-interface=bridge-isolated out-interface=bridge-main
add action=drop chain=forward in-interface=bridge-main out-interface=bridge-isolated
/ip firewall nat
add action=masquerade chain=srcnat out-interface=bridge-main src-address=192.168.100.0/24
/system routerboard settings
set boot-os=router-os

Everything seems to work except that the isolated network doesn’t have internet access. The NAT is in place and the routing table looks fine to me:

 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 ADS  0.0.0.0/0                          192.168.0.1               1
 1 ADC  192.168.0.0/24     192.168.0.21    bridge-main               0
 2 ADC  192.168.100.0/24   192.168.100.1   bridge-isolated           0

So I’m out of ideas, what might cause the issues . Any ideas?

Okay so you want the Switch to act as a router and pass some off the LAN subnets from the router directly to local portson the switch (transparently) and then some local ports to get local DHCP etc…

This is how I would do it.
Coming from main router.
vlan10 - this translates to the subnet on bridge main.
vlan20 - this translates to the subnet on bridge isolated
vlan66 - this is the management or base vlan that the admin can access on the router and where switch gets its IP address from ( and where isolated subnet gets its internet access )

There is a TRUNK port on the main router carrying all three vlans to the SWITCH.
Ether1 on the switch is where the trunk port leads to.
START WITH OFF BRIDGE port first!! , and then do all config from there…
to avoid vlan filtering hiccups, and to config from a safe spot, recommend you take ether20 off the bridge.
/interface ethernet
set [ find default-name=ether20] name=OffBridge20
/ip address
add address=192.168.55.1/29 interface=OffBridge20 network=192.168.55.0
/interface list member
add interface=Offbridge20 list=LAN
Now plug in your laptop into ether20, change ipv4 settings to 192.168.55.2 and you should be in!!!

/interface bridge
add name=bridge  vlan-filtering=no  { turn on as last step }
/interface ethernet
set [ find default-name=ether20 ] name=OffBridge20
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface vlan
add interface=bridge name=vlan66-base vlan-id=66  comment="management vlan"
add interface=bridge name=vlan20-isolated vlan-ids=20 comment-="isolated vlan"
/ip pool
add name=pool-isolated ranges=192.168.100.100-192.168.100.200
/ip dhcp-server
add address-pool=pool-isolated  interface=vlan20-isolated name=dhcp-isolated
/interface bridge port
add bridge=bridge ingress filtering=yes  frame-types=admit-only-vlan-tagged  interface=ether1
add bridge=bridge ingress-filtering=yes frame-types=admit-only-priority-and-untagged interface=ether2 pvid=10
add bridge=bridge ingress-filtering=yes frame-types=admit-only-priority-and-untagged interface=ether3 pvid=10 
add bridge=bridge ingress-filtering=yes frame-types=admit-only-priority-and-untagged interface=ether4 pvid=10 
add bridge=bridge ingress-filtering=yes frame-types=admit-only-priority-and-untagged interface=ether5 pvid=10 
add bridge=bridge ingress-filtering=yes frame-types=admit-only-priority-and-untagged interface=ether6 pvid=10 
add bridge=bridge ingress-filtering=yes frame-types=admit-only-priority-and-untagged interface=ether7 pvid=10 
add bridge=bridge ingress-filtering=yes frame-types=admit-only-priority-and-untagged interface=ether8 pvid=10 
add bridge=bridge ingress-filtering=yes frame-types=admit-only-priority-and-untagged interface=ether9 pvid=10 
add bridge=bridge ingress-filtering=yes frame-types=admit-only-priority-and-untagged interface=ether10 pvid=10 
add bridge=bridge ingress-filtering=yes frame-types=admit-only-priority-and-untagged interface=ether11 pvid=10 
add bridge=bridge ingress-filtering=yes frame-types=admit-only-priority-and-untagged interface=ether12 pvid=10
add bridge=bridge ingress-filtering=yes frame-types=admit-only-priority-and-untagged interface=ether13 pvid=10 
add bridge=bridge ingress-filtering=yes frame-types=admit-only-priority-and-untagged interface=ether14 pvid=10 
add bridge=bridge ingress-filtering=yes frame-types=admit-only-priority-and-untagged interface=ether15 pvid=10
add bridge=bridge ingress-filtering=yes frame-types=admit-only-priority-and-untagged interface=ether16 pvid=10
add bridge=bridge ingress-filtering=yes frame-types=admit-only-priority-and-untagged interface=ether17 pvid=10 
add bridge=bridge ingress-filtering=yes frame-types=admit-only-priority-and-untagged interface=ether18 pvid=10 
add bridge=bridge ingress-filtering=yes frame-types=admit-only-priority-and-untagged interface=ether19 pvid=10 
add bridge=bridge  ingress-filtering=yes frame-types=admit-only-priority-and-untagged interface=ether21 pvid=20 
add bridge=bridge  ingress-filtering=yes frame-types=admit-only-priority-and-untagged interface=ether22 pvid=20 
add bridge=bridge  ingress-filtering=yes frame-types=admit-only-priority-and-untagged interface=ether23 pvid=20 
add bridge=bridge  ingress-filtering=yes frame-types=admit-only-priority-and-untagged interface=ether24 pvid=20
/ip neighbor discovery-settings
set discover-interface-list=TRUSTED
/interface bridge vlan
add bridge=bridge tagged=ether1, untagged=ether2,ether3,ether4,ether5,ether6,ether7,ether8,ether9,ether10,ether11,ether12,ether13,ether14,ether15,ether16,ether17,ether18,ether19  vlan-id=10
add bridge=bridge tagged=bridge,ether1  untagged=ether21,ether22,ether23,ether24  vlan-id=20
add bridge=bridge tagged=bridge,ether1  vlan-id=66
/ip address
add address=192.168.66.X/24 interface=vlan66 network=192.168.66.0  { where X is a static dhcp lease on main router }
add address=192.168.55.1/30 interface=OffBridge20 network=192.168.55.0
add address=192.168.100.1/24 interface=vlan20-isolated network=192.168.100.0
/ip dhcp-server network
add address=192.168.100.0/24 dns-server=192.168.100.1 gateway=192.168.100.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,1.1.1.1
/interface list
add name=LAN
add name=WAN
add name=TRUSTED
/interface list member
add interface=vlan66 list=WAN
add interface=vlan20-isolated list=LAN
add interface=OffBridge20 list=LAN
add interface=vlan66 list=TRUSTED
add interface=OffBridge20 list=TRUSTED
/ip firewall filter
add action=accept chain=input  connection-state=established,related,untracked
add action=drop chain=input  connection-state=invalid
add action=accept chain=input  protocol=icmp
add action=accept chain=input dst-address=127.0.0.1
add action=accept chain=input comment="admin access" in-interface-list=TRUSTED
add action=accept chain=input comment="isolated users to services"  in-interface-list=LAN dst-port=53 protocol=udp
add action=accept chain=input comment="isolated users to services"  in-interface-list=LAN dst-port=53 protocol=tcp
add action=drop chain=input comment="drop all else"    { put this rule in only after the ones above are in place including interface list entries }
++++++++++++++++++
add action=fasttrack-connection chain=forward connection-state=established,related 
add action=accept chain=forward connection-state=established,related,untracked
add action=drop chain=forward connection-state=invalid
add action=accept chain=forward comment="internet traffic"  in-interface-list=LAN out-interface-list=WAN
add action=drop chain=forward comment="drop all else"
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
/system routerboard settings
set boot-os=router-os
/ip route
add dst-address=0.0.0.0/0 gateway=192.168.66.1 
/system ntp client
set enabled=yes
/system ntp client servers
add address=192.168.66.1
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=TRUSTED

Thanks! However that solution looks a bit more complex than my initial attempt…

Just to get everything right: You suggest using VLANs instead of several bridges. Is it bad style to solve that with several bridges, does it cause more load or is there just no way to do that with several bridges instead of VLANs?
The external router doesn’t support VLANs. Is the traffic from port 1 to the router untagged?

Okay well thats very good to know. That solution was optimal but based on the upstream router being capable of vlans.
Since this is not the case, it will be simpler but vlans are still the way to go on the switch.
VLANS is better than two bridges.

1. Ensure you use the offbridge approach to config the router.

2. We will add two vlans, One for the traffic coming from the router on ether1 untagged and the second for the LAN behind the MT switch. Assuming the gateway for this main lan is 192.168.0.1 and the ip assigned to the switch is 192.168.0.21.

3. The config assumes you want to be able to config the router from either the LAN from the upstream router, or from the LAN behind the switch or the offport bridge connection.
   This will be accomplished by a firewall address list!!

/interface bridge
add name=bridge  vlan-filtering=no  { turn on as last step }
/interface ethernet
set [ find default-name=ether20 ] name=OffBridge20
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface vlan
add interface=bridge name=vlan10-main vlan-id=10  comment="Upstream router LAN"
add interface=bridge name=vlan20-isolated vlan-ids=20 comment-="isolated vlan"
/ip pool
add name=pool-isolated ranges=192.168.100.100-192.168.100.200
/ip dhcp-server
add address-pool=pool-isolated  interface=vlan20-isolated name=dhcp-isolated
/interface bridge port
add bridge=bridge ingress-filtering=yes frame-types=admit-only-priority-and-untagged interface=ether1 pvid=10
add bridge=bridge ingress-filtering=yes frame-types=admit-only-priority-and-untagged interface=ether2 pvid=10
add bridge=bridge ingress-filtering=yes frame-types=admit-only-priority-and-untagged interface=ether3 pvid=10 
add bridge=bridge ingress-filtering=yes frame-types=admit-only-priority-and-untagged interface=ether4 pvid=10 
add bridge=bridge ingress-filtering=yes frame-types=admit-only-priority-and-untagged interface=ether5 pvid=10 
add bridge=bridge ingress-filtering=yes frame-types=admit-only-priority-and-untagged interface=ether6 pvid=10 
add bridge=bridge ingress-filtering=yes frame-types=admit-only-priority-and-untagged interface=ether7 pvid=10 
add bridge=bridge ingress-filtering=yes frame-types=admit-only-priority-and-untagged interface=ether8 pvid=10 
add bridge=bridge ingress-filtering=yes frame-types=admit-only-priority-and-untagged interface=ether9 pvid=10 
add bridge=bridge ingress-filtering=yes frame-types=admit-only-priority-and-untagged interface=ether10 pvid=10 
add bridge=bridge ingress-filtering=yes frame-types=admit-only-priority-and-untagged interface=ether11 pvid=10 
add bridge=bridge ingress-filtering=yes frame-types=admit-only-priority-and-untagged interface=ether12 pvid=10
add bridge=bridge ingress-filtering=yes frame-types=admit-only-priority-and-untagged interface=ether13 pvid=10 
add bridge=bridge ingress-filtering=yes frame-types=admit-only-priority-and-untagged interface=ether14 pvid=10 
add bridge=bridge ingress-filtering=yes frame-types=admit-only-priority-and-untagged interface=ether15 pvid=10
add bridge=bridge ingress-filtering=yes frame-types=admit-only-priority-and-untagged interface=ether16 pvid=10
add bridge=bridge ingress-filtering=yes frame-types=admit-only-priority-and-untagged interface=ether17 pvid=10 
add bridge=bridge ingress-filtering=yes frame-types=admit-only-priority-and-untagged interface=ether18 pvid=10 
add bridge=bridge ingress-filtering=yes frame-types=admit-only-priority-and-untagged interface=ether19 pvid=10 
add bridge=bridge  ingress-filtering=yes frame-types=admit-only-priority-and-untagged interface=ether21 pvid=20 
add bridge=bridge  ingress-filtering=yes frame-types=admit-only-priority-and-untagged interface=ether22 pvid=20 
add bridge=bridge  ingress-filtering=yes frame-types=admit-only-priority-and-untagged interface=ether23 pvid=20 
add bridge=bridge  ingress-filtering=yes frame-types=admit-only-priority-and-untagged interface=ether24 pvid=20
/ip neighbor discovery-settings
set discover-interface-list=TRUSTED
/interface bridge vlan
add bridge=bridge tagged=bridge  untagged=ether1,ether2,ether3,ether4,ether5,ether6,ether7,ether8,ether9,ether10,ether11,ether12,ether13,ether14,ether15,ether16,ether17,
ether18,ether19  vlan-id=10
add bridge=bridge tagged=bridge  untagged=ether21,ether22,ether23,ether24  vlan-id=20
/ip address
add address=192.168.55.1/30 interface=OffBridge20 network=192.168.55.0
add address=192.168.100.1/24 interface=vlan20-isolated network=192.168.100.0
add address=192.168.0.21/24 interface=vlan10-main network=192.168.10.0  comment="main lan"
/ip dhcp-server network
add address=192.168.100.0/24 dns-server=192.168.100.1 gateway=192.168.100.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,1.1.1.1
/interface list
add name=LAN
add name=WAN
add name=TRUSTED
/interface list member
add interface=vlan10-main list=WAN
add interface=vlan20-isolated list=LAN
add interface=OffBridge20 list=LAN
add interface=vlan10-main list=TRUSTED
add interface=vlan20-isolated list=TRUSTED
add interface=OffBridge20 list=TRUSTED
/ip firewall address-list
add address=192.168.0.XX  list=AUTHORIZED comment="admin IP on ISP router LAN"
add address-=192.168.20.YY list=AUTHORIZED comment="admin IP on MT switch LAN"
add address=192.158.55.2  list=AUTHORIZED comment="off bridge admin access"
{ add any others as required }
/ip firewall filter
add action=accept chain=input  connection-state=established,related,untracked
add action=drop chain=input  connection-state=invalid
add action=accept chain=input  protocol=icmp
add action=accept chain=input dst-address=127.0.0.1
add action=accept chain=input comment="admin access" in-interface-list=TRUSTED src-address-list=AUTHORIZED
add action=accept chain=input comment="isolated users to services"  in-interface-list=LAN dst-port=53 protocol=udp
add action=accept chain=input comment="isolated users to services"  in-interface-list=LAN dst-port=53 protocol=tcp
add action=drop chain=input comment="drop all else"    { put this rule in only after the ones above are in place including interface list entries }
++++++++++++++++++
add action=fasttrack-connection chain=forward connection-state=established,related 
add action=accept chain=forward connection-state=established,related,untracked
add action=drop chain=forward connection-state=invalid
add action=accept chain=forward comment="internet traffic"  in-interface-list=LAN out-interface-list=WAN
add action=drop chain=forward comment="drop all else"
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
/system routerboard settings
set boot-os=router-os
/ip route
add dst-address=0.0.0.0/0 gateway=192.168.0.1
/system ntp client
set enabled=yes
/system ntp client servers
add address={ find country servers that apply }
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=TRUSTED

Unfortunately that didn’t work out so well.

I first wiped all old configuration via

/system reset-configuration no-defaults=yes skip-backup=yes

Then corrected some typos in the configuration and added the ether20 offbridge.

And finally applied the configuration line by line (with some errors, error messages see after the “//”):

/interface ethernet
set [ find default-name=ether20] name=OffBridge20
/ip address
add address=192.168.55.1/29 interface=OffBridge20 network=192.168.55.0
/interface list member
add interface=OffBridge20 list=LAN

// input does not match any value of list

/interface bridge
add name=bridge  vlan-filtering=no
/interface ethernet
set [ find default-name=ether20 ] name=OffBridge20
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface vlan
add interface=bridge name=vlan10-main vlan-id=10 comment="Upstream router LAN"
add interface=bridge name=vlan20-isolated vlan-id=20 comment="isolated vlan"
/ip pool
add name=pool-isolated ranges=192.168.100.100-192.168.100.200
/ip dhcp-server
add address-pool=pool-isolated  interface=vlan20-isolated name=dhcp-isolated
/interface bridge port
add bridge=bridge ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=ether2 pvid=10
add bridge=bridge ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=ether3 pvid=10 
add bridge=bridge ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=ether1 pvid=10
add bridge=bridge ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=ether4 pvid=10 
add bridge=bridge ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=ether5 pvid=10 
add bridge=bridge ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=ether6 pvid=10 
add bridge=bridge ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=ether7 pvid=10 
add bridge=bridge ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=ether8 pvid=10 
add bridge=bridge ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=ether9 pvid=10 
add bridge=bridge ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=ether10 pvid=10 
add bridge=bridge ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=ether11 pvid=10 
add bridge=bridge ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=ether12 pvid=10
add bridge=bridge ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=ether13 pvid=10 
add bridge=bridge ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=ether14 pvid=10 
add bridge=bridge ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=ether15 pvid=10
add bridge=bridge ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=ether16 pvid=10
add bridge=bridge ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=ether17 pvid=10 
add bridge=bridge ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=ether18 pvid=10 
add bridge=bridge ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=ether19 pvid=10 
add bridge=bridge ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=ether21 pvid=20 
add bridge=bridge ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=ether22 pvid=20 
add bridge=bridge ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=ether23 pvid=20 
add bridge=bridge ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=ether24 pvid=20
/ip neighbor discovery-settings
set discover-interface-list=TRUSTED

// input does not match any value of discover-interface-list

/interface bridge vlan
add bridge=bridge tagged=bridge  untagged=ether1,ether2,ether3,ether4,ether5,ether6,ether7,ether8,ether9,ether10,ether11,ether12,ether13,ether14,ether15,ether16,ether17,ether18,ether19  vlan-id=10
add bridge=bridge tagged=bridge  untagged=ether21,ether22,ether23,ether24  vlan-id=20
/ip address
add address=192.168.55.1/30 interface=OffBridge20 network=192.168.55.0
add address=192.168.100.1/24 interface=vlan20-isolated network=192.168.100.0
add address=192.168.0.2/24 interface=vlan10-main network=192.168.0.0  comment="main lan"
/ip dhcp-server network
add address=192.168.100.0/24 dns-server=192.168.100.1 gateway=192.168.100.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,1.1.1.1
/interface list
add name=LAN
add name=WAN
add name=TRUSTED
/interface list member
add interface=vlan10-main list=WAN
add interface=vlan20-isolated list=LAN
add interface=OffBridge20 list=LAN
add interface=vlan10-main list=TRUSTED
add interface=vlan20-isolated list=TRUSTED
add interface=OffBridge20 list=TRUSTED
/ip firewall address-list
add address=192.168.0.3  list=AUTHORIZED comment="admin IP on ISP router LAN"
add address=192.168.20.3 list=AUTHORIZED comment="admin IP on MT switch LAN"
add address=192.158.55.3  list=AUTHORIZED comment="off bridge admin access"
{ add any others as required }
/ip firewall filter
add action=accept chain=input  connection-state=established,related,untracked
add action=drop chain=input  connection-state=invalid
add action=accept chain=input  protocol=icmp
add action=accept chain=input dst-address=127.0.0.1
add action=accept chain=input comment="admin access" in-interface-list=TRUSTED src-address-list=AUTHORIZED
add action=accept chain=input comment="isolated users to services"  in-interface-list=LAN dst-port=53 protocol=udp
add action=accept chain=input comment="isolated users to services"  in-interface-list=LAN dst-port=53 protocol=tcp
add action=drop chain=input comment="drop all else"    { put this rule in only after the ones above are in place including interface list entries }
++++++++++++++++++
add action=fasttrack-connection chain=forward connection-state=established,related 
add action=accept chain=forward connection-state=established,related,untracked
add action=drop chain=forward connection-state=invalid
add action=accept chain=forward comment="internet traffic"  in-interface-list=LAN out-interface-list=WAN
add action=drop chain=forward comment="drop all else"
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
/system routerboard settings
set boot-os=router-os
/ip route
add dst-address=0.0.0.0/0 gateway=192.168.0.1
/system ntp client
set enabled=yes

/system ntp client servers
add address={ find country servers that apply }

// ignored for now

/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=TRUSTED
/interface bridge
set name=bridge  vlan-filtering=yes

The network devices from the isolated bridge now appear on the external router and still don’t have internet access. So the result unfortunately is wore than it was in the first place.

Seems like the isolated network is not visible by the external router anymore. Maybe it was just visible during setup and the router removed it from the list of currently active devices with some delay. But still no internet access for them.

That is correct, the isolated subnet is INDEED isolated as its behind the MT router.
What kind of exposure would you like to give the isolated network besides access to the internet??

Not sure but I thought the IP of the switch was 192.168.0.21, not sure why you changed it to .2 ??
Also this is wrong
add address=192.158.55**.3** list=AUTHORIZED comment="off bridge admin access
should be
add address=192.158.55.2 list=AUTHORIZED comment="off bridge admin access

Get rid of duplicate rules in your config, like interface list ones and /bridge ones etc…

No exposure besides the internet access. I was surprised that the router saw the devices, which it shouldn’t. The last post was just an update to the one before regarding current visibility.

I just fixed the IPs, seems like the DHCP server on the isolated network is broken. There are four devices connected to the ports 21-24, configured for DHCP and none of them receives an IP. Also WinBox shows an empty Lease list. Here’s the current config export:

# jan/02/1970 09:47:32 by RouterOS 6.49.15
# software id = IX5G-B423
#
# model = CRS326-24G-2S+
# serial number = XXX
/interface bridge
add name=bridge vlan-filtering=yes
/interface ethernet
set [ find default-name=ether20 ] name=OffBridge20
/interface vlan
add comment="Upstream router LAN" interface=bridge name=vlan10-main vlan-id=10
add comment="isolated vlan" interface=bridge name=vlan20-isolated vlan-id=20
/interface list
add name=LAN
add name=WAN
add name=TRUSTED
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=pool-isolated ranges=192.168.100.100-192.168.100.200
/ip dhcp-server
add address-pool=pool-isolated interface=vlan20-isolated name=dhcp-isolated
/interface bridge port
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether2 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether3 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether1 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether4 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether5 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether6 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether7 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether8 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether9 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether10 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether11 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether12 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether13 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether14 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether15 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether16 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether17 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether18 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether19 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether21 pvid=20
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether22 pvid=20
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether23 pvid=20
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether24 pvid=20
/interface bridge vlan
add bridge=bridge tagged=bridge untagged=\
    ether1,ether2,ether3,ether4,ether5,ether6,ether7,ether8,ether9,ether10,ether11,ether12,ether13,ether14,ether15,ether16,ether17,ether18,ether19 \
    vlan-ids=10
add bridge=bridge tagged=bridge untagged=ether21,ether22,ether23,ether24 vlan-ids=20
/interface list member
add interface=vlan10-main list=WAN
add interface=vlan20-isolated list=LAN
add interface=OffBridge20 list=LAN
add interface=vlan10-main list=TRUSTED
add interface=vlan20-isolated list=TRUSTED
add interface=OffBridge20 list=TRUSTED
/ip address
add address=192.168.55.1/29 interface=OffBridge20 network=192.168.55.0
add address=192.168.55.1/30 interface=OffBridge20 network=192.168.55.0
add address=192.168.100.1/24 interface=vlan20-isolated network=192.168.100.0
add address=192.168.0.21/24 comment="main lan" interface=vlan10-main network=192.168.0.0
/ip dhcp-server network
add address=192.168.100.0/24 dns-server=192.168.100.1 gateway=192.168.100.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,1.1.1.1
/ip firewall address-list
add address=192.168.0.2 comment="admin IP on ISP router LAN" list=AUTHORIZED
add address=192.158.55.3 comment="off bridge admin access" list=AUTHORIZED
add address=192.168.20.3 comment="admin IP on MT switch LAN" list=AUTHORIZED
/ip firewall filter
add action=accept chain=input connection-state=established,related,untracked
add action=drop chain=input connection-state=invalid
add action=accept chain=input protocol=icmp
add action=accept chain=input dst-address=127.0.0.1
add action=accept chain=input comment="admin access" in-interface-list=TRUSTED src-address-list=AUTHORIZED
add action=accept chain=input comment="isolated users to services" dst-port=53 in-interface-list=LAN protocol=udp
add action=accept chain=input comment="isolated users to services" dst-port=53 in-interface-list=LAN protocol=tcp
add action=drop chain=input comment="drop all else"
add action=fasttrack-connection chain=forward connection-state=established,related
add action=accept chain=forward connection-state=established,related,untracked
add action=drop chain=forward connection-state=invalid
add action=accept chain=forward comment="internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=drop chain=forward comment="drop all else"
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
/ip route
add distance=1 gateway=192.168.0.1
/system ntp client
set enabled=yes
/system routerboard settings
set boot-os=router-os
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=TRUSTED

1. Certainly recommend updating the firmware to 7.16.2.
   If you do it manually (or selecting updates automatically) it will have to be done in two steps first to 7.12.1 and then second to 7.16.2

2. Duplicate Ip address
   /ip address
   add address=192.168.55.1/29 interface=OffBridge20 network=192.168.55.0
   add address=192.168.55.1/30 interface=OffBridge20 network=192.168.55.0
   add address=192.168.100.1/24 interface=vlan20-isolated network=192.168.100.0
   add address=192.168.0.21/24 comment=“main lan” interface=vlan10-main network=192.168.0.0

3. Okay the error I see is that ether1 was removed from /interface bridge port.

First add the missing port to the bridge…
a./interface bridge port
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether1 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether2 pvid=10

That should fix somethings. As for dhcp no idea why ports 21-24 are not getting a lease??

Thanks!

1. I didn’t notice that the firmware is that old. I always just updated via Quick Set and the only update I was offered there was from 6.49.15 to 6.49.17. Now I upgraded manually to 7.16.2.

2. Thanks, removed.

3. ether1 is there, but for whatever reason it is printed after ether3

4. Still no lease on 21-24. For testing purposes I just connected a Win 10 notebook there. It doesn’t get a lease. But when I manually set e.g. the IP to 192.168.100.2, gateway to 192.168.100.1 and DNS server to 8.8.8.8 on the notebook I have internet access. The problem is just that that the devices, that are usually connected there rely on DHCP.

Here the current export, it got way longer with the firmware update:

[admin@MikroTik] > export
# 1970-01-02 01:21:14 by RouterOS 7.16.2
# software id = IX5G-B423
#
# model = CRS326-24G-2S+
# serial number = XXX
/interface bridge
add ingress-filtering=no name=bridge port-cost-mode=short vlan-filtering=yes
/interface ethernet
set [ find default-name=ether20 ] name=OffBridge20
/interface vlan
add comment="Upstream router LAN" interface=bridge name=vlan10-main vlan-id=10
add comment="isolated vlan" interface=bridge name=vlan20-isolated vlan-id=20
/interface list
add name=LAN
add name=WAN
add name=TRUSTED
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/ip pool
add name=pool-isolated ranges=192.168.100.100-192.168.100.200
/ip smb users
set [ find default=yes ] disabled=yes
/port
set 0 name=serial0
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/interface bridge port
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether2 internal-path-cost=10 path-cost=10 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether3 internal-path-cost=10 path-cost=10 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether1 internal-path-cost=10 path-cost=10 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether4 internal-path-cost=10 path-cost=10 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether5 internal-path-cost=10 path-cost=10 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether6 internal-path-cost=10 path-cost=10 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether7 internal-path-cost=10 path-cost=10 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether8 internal-path-cost=10 path-cost=10 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether9 internal-path-cost=10 path-cost=10 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether10 internal-path-cost=10 path-cost=10 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether11 internal-path-cost=10 path-cost=10 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether12 internal-path-cost=10 path-cost=10 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether13 internal-path-cost=10 path-cost=10 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether14 internal-path-cost=10 path-cost=10 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether15 internal-path-cost=10 path-cost=10 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether16 internal-path-cost=10 path-cost=10 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether17 internal-path-cost=10 path-cost=10 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether18 internal-path-cost=10 path-cost=10 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether19 internal-path-cost=10 path-cost=10 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether21 internal-path-cost=10 path-cost=10 pvid=20
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether22 internal-path-cost=10 path-cost=10 pvid=20
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether23 internal-path-cost=10 path-cost=10 pvid=20
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether24 internal-path-cost=10 path-cost=10 pvid=20
/ip firewall connection tracking
set udp-timeout=10s
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes
/interface bridge vlan
add bridge=bridge tagged=bridge untagged=\
    ether1,ether2,ether3,ether4,ether5,ether6,ether7,ether8,ether9,ether10,ether11,ether12,ether13,ether14,ether15,ether16,ether17,ether18,ether19 \
    vlan-ids=10
add bridge=bridge tagged=bridge untagged=ether21,ether22,ether23,ether24 vlan-ids=20
/interface list member
add interface=vlan10-main list=WAN
add interface=vlan20-isolated list=LAN
add interface=OffBridge20 list=LAN
add interface=vlan10-main list=TRUSTED
add interface=vlan20-isolated list=TRUSTED
add interface=OffBridge20 list=TRUSTED
/interface ovpn-server server
set auth=sha1,md5
/ip address
add address=192.168.55.1/30 interface=OffBridge20 network=192.168.55.0
add address=192.168.100.1/24 interface=vlan20-isolated network=192.168.100.0
add address=192.168.0.21/24 comment="main lan" interface=vlan10-main network=192.168.0.0
/ip dhcp-server
add address-pool=pool-isolated disabled=yes interface=vlan20-isolated lease-time=10m name=dhcp-isolated
/ip dhcp-server network
add address=192.168.100.0/24 dns-server=192.168.100.1 gateway=192.168.100.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,1.1.1.1
/ip firewall address-list
add address=192.168.0.2 comment="admin IP on ISP router LAN" list=AUTHORIZED
add address=192.158.55.3 comment="off bridge admin access" list=AUTHORIZED
add address=192.168.20.3 comment="admin IP on MT switch LAN" list=AUTHORIZED
/ip firewall filter
add action=accept chain=input connection-state=established,related,untracked
add action=drop chain=input connection-state=invalid
add action=accept chain=input protocol=icmp
add action=accept chain=input dst-address=127.0.0.1
add action=accept chain=input comment="admin access" in-interface-list=TRUSTED src-address-list=AUTHORIZED
add action=accept chain=input comment="isolated users to services" dst-port=53 in-interface-list=LAN protocol=udp
add action=accept chain=input comment="isolated users to services" dst-port=53 in-interface-list=LAN protocol=tcp
add action=drop chain=input comment="drop all else"
add action=fasttrack-connection chain=forward connection-state=established,related hw-offload=yes
add action=accept chain=forward connection-state=established,related,untracked
add action=drop chain=forward connection-state=invalid
add action=accept chain=forward comment="internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=drop chain=forward comment="drop all else"
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=192.168.0.1
/ip smb shares
set [ find default=yes ] directory=/flash/pub
/routing bfd configuration
add disabled=no interfaces=all min-rx=200ms min-tx=200ms multiplier=5
/system clock
set time-zone-name=Europe/Berlin
/system note
set show-at-login=no
/system ntp client
set enabled=yes mode=broadcast
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=TRUSTED

Take a look at this line! Its a new error as the rule was enabled in previous configurations.

/ip dhcp-server
add address-pool=pool-isolated disabled=yes interface=vlan20-isolated lease-time=10m name=dhcp-isolated

Thanks to both of you! Now everything works fine .

But that behavior is very strange and in my opinion that shouldn’t have happened. There was no previous configuration since I wiped the router by purpose before applying the configuration. And even if there would have been the router should also have also reported that with firmware 6.49.15.

Just in case someone is interested in a similar setup - here’s the final export:

# 1970-01-02 20:51:26 by RouterOS 7.16.2
# software id = IX5G-B423
#
# model = CRS326-24G-2S+
# serial number = XXX
/interface bridge
add ingress-filtering=no name=bridge port-cost-mode=short vlan-filtering=yes
/interface ethernet
set [ find default-name=ether20 ] name=OffBridge20
/interface vlan
add comment="Upstream router LAN" interface=bridge name=vlan10-main vlan-id=10
add comment="isolated vlan" interface=bridge name=vlan20-isolated vlan-id=20
/interface list
add name=LAN
add name=WAN
add name=TRUSTED
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/ip pool
add name=pool-isolated ranges=192.168.100.100-192.168.100.200
/ip dhcp-server
add address-pool=pool-isolated interface=vlan20-isolated lease-time=10m name=dhcp-isolated
/ip smb users
set [ find default=yes ] disabled=yes
/port
set 0 name=serial0
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/interface bridge port
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether2 internal-path-cost=10 path-cost=10 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether3 internal-path-cost=10 path-cost=10 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether1 internal-path-cost=10 path-cost=10 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether4 internal-path-cost=10 path-cost=10 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether5 internal-path-cost=10 path-cost=10 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether6 internal-path-cost=10 path-cost=10 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether7 internal-path-cost=10 path-cost=10 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether8 internal-path-cost=10 path-cost=10 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether9 internal-path-cost=10 path-cost=10 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether10 internal-path-cost=10 path-cost=10 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether11 internal-path-cost=10 path-cost=10 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether12 internal-path-cost=10 path-cost=10 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether13 internal-path-cost=10 path-cost=10 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether14 internal-path-cost=10 path-cost=10 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether15 internal-path-cost=10 path-cost=10 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether16 internal-path-cost=10 path-cost=10 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether17 internal-path-cost=10 path-cost=10 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether18 internal-path-cost=10 path-cost=10 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether19 internal-path-cost=10 path-cost=10 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether21 internal-path-cost=10 path-cost=10 pvid=20
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether22 internal-path-cost=10 path-cost=10 pvid=20
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether23 internal-path-cost=10 path-cost=10 pvid=20
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether24 internal-path-cost=10 path-cost=10 pvid=20
/ip firewall connection tracking
set udp-timeout=10s
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes
/interface bridge vlan
add bridge=bridge tagged=bridge untagged=\
    ether1,ether2,ether3,ether4,ether5,ether6,ether7,ether8,ether9,ether10,ether11,ether12,ether13,ether14,ether15,ether16,ether17,ether18,ether19 \
    vlan-ids=10
add bridge=bridge tagged=bridge untagged=ether21,ether22,ether23,ether24 vlan-ids=20
/interface list member
add interface=vlan10-main list=WAN
add interface=vlan20-isolated list=LAN
add interface=OffBridge20 list=LAN
add interface=vlan10-main list=TRUSTED
add interface=vlan20-isolated list=TRUSTED
add interface=OffBridge20 list=TRUSTED
/interface ovpn-server server
set auth=sha1,md5
/ip address
add address=192.168.55.1/30 interface=OffBridge20 network=192.168.55.0
add address=192.168.100.1/24 interface=vlan20-isolated network=192.168.100.0
add address=192.168.0.21/24 comment="main lan" interface=vlan10-main network=192.168.0.0
/ip dhcp-server network
add address=192.168.100.0/24 dns-server=192.168.100.1 gateway=192.168.100.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,1.1.1.1
/ip firewall address-list
add address=192.168.0.2 comment="admin IP on ISP router LAN" list=AUTHORIZED
add address=192.158.55.3 comment="off bridge admin access" list=AUTHORIZED
add address=192.168.20.3 comment="admin IP on MT switch LAN" list=AUTHORIZED
/ip firewall filter
add action=accept chain=input connection-state=established,related,untracked
add action=drop chain=input connection-state=invalid
add action=accept chain=input protocol=icmp
add action=accept chain=input dst-address=127.0.0.1
add action=accept chain=input comment="admin access" in-interface-list=TRUSTED src-address-list=AUTHORIZED
add action=accept chain=input comment="isolated users to services" dst-port=53 in-interface-list=LAN protocol=udp
add action=accept chain=input comment="isolated users to services" dst-port=53 in-interface-list=LAN protocol=tcp
add action=drop chain=input comment="drop all else"
add action=fasttrack-connection chain=forward connection-state=established,related hw-offload=yes
add action=accept chain=forward connection-state=established,related,untracked
add action=drop chain=forward connection-state=invalid
add action=accept chain=forward comment="internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=drop chain=forward comment="drop all else"
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=192.168.0.1
/ip smb shares
set [ find default=yes ] directory=/flash/pub
/routing bfd configuration
add disabled=no interfaces=all min-rx=200ms min-tx=200ms multiplier=5
/system clock
set time-zone-name=Europe/Berlin
/system note
set show-at-login=no
/system ntp client
set enabled=yes mode=broadcast
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=TRUSTED

Just out of curiosity: the router obviously still reports the wrong time. In an attempt to fix that I added an external NTP server, but that seemingly didn’t change anything:

/system/ntp/client/servers/add address=de.pool.ntp.org

What do you get with:
/system/ntp/client> print
?

Not sure if Client settings are correct.
Should just be enabled and try setting the server to 192.168.0.1

Ensure on the upstream router that you have something like
add chain=input action=accept comment=“timing” in-interface-list=LAN src-address=192.168.0.21 dst-port=123 protocol=udp

I just changed the address to the upstream router as anav proposed, but it looked the same (status: waiting) beforehand

[admin@MikroTik] /system/ntp/client> print
     enabled: yes
        mode: broadcast
     servers: 192.168.0.1
         vrf: main
  freq-drift: 0 PPM
      status: waiting

The upstream router is not from Mikrotik, therefore I can’t perform such a setting. I honestly have no clue what’s provided by the router concerning NTP. That’s why I tried to directly pull the time from a NTP server in the internet.

I have no idea if It means something, but I have ntp working just fine from a pool.ntp.org server, the only difference, besides the different national server Is the mode set to unicast, while you have broadcast.
Are you sure the address can be DNS resolved?

put [:resolve de.pool.ntp.org]

Seems like DNS resolution works fine

[admin@MikroTik] > put [:resolve de.pool.ntp.org]
195.201.173.232

It could be that the 1970 date you have Is too far in the past, there were issues reported about this, but I thought they were solved by now.
Try disabling the ntp client, setting manually the date/time, re-enable the client.

Another possibility Is that your ISP blocks Port 123, check these:
http://forum.mikrotik.com/t/ntp-client-status-waiting/158513/1
http://forum.mikrotik.com/t/ntp-client-not-syncing/176955/1

All the port remapping didn’t help, but switching to unicast on de.pool.ntp.org solved the issue. Thanks!

Yup, just had a look at my downstream devices, client setting set to unicast… good eye