Newbie VLAN help: Network seperation

RouterOS Beginner Basics
1

Hello everyone,

I bought a Mikrotik Hex S to manage my network. Currently, everything is in one network, which I can manage fine.
Since I got more and more into smart home devices, my network grew bigger. For security reasons, I want to create separate networks.
I’ve studied several VLAN tutorials, from videos on YouTube to information on this forum, but I cannot get it to work the way I want it.

My network is as follows:
Internet router → Hex S (as router) → 192.168.1.0/24

What I would like is several networks:
192.168.1.0/24 Base Lan - All access to everything
192.168.20.0/24 Internet - Internet access, access to other devices within own network.
192.168.30.0/24 Internet (Isolated) - Internet access, but isolated from any other device
192.168.40.0/24 Network of Things - No internet, no access to others, but accessible by Base Lan. (For RTSP cameras)

The problem is that most devices are connected to the network via wifi, including devices that should be separated. This means I cannot separate networks with just network ports, but virtual only.
It should look something like this:

Current configuration:
Device set as router

Interface:
Bridge (LAN)

  • VLAN filtering: off
    * Whenever I turn this on, it kills my connection. Due to safe mode, settings are reversed.
    Ether 1(WAN)
    Ether 2 (LAN)
    Ether 3 (LAN)
    Ether 4 (LAN)
    Ether 5 (LAN)
    Sfp1 (WAN, not used)

Interface VLAN:
VLAN 1 “Base”, VLAN ID: 1, Interface: Bridge
VLAN 20 “Internet”, VLAN ID: 20, Interface: Bridge
VLAN 30 “Internet_isolated”, VLAN ID: 30, Interface: Bridge
VLAN 40 “Network”, VLAN ID: 40, Interface: Bridge

Bridge Ports
Ether 2, Bridge, PVID 1, admit all
Ether 3, Bridge, PVID 1, admit all
Ether 4, Bridge, PVID 1, admit all
Ether 5, Bridge, PVID 1, admit all
VLAN 20 Internet, Bridge, PVID 20, admit all
VLAN 30 Internet_isolated, Bridge, PVID 30, admit all
VLAN 40 Network, Bridge, PVID 40, admit all
No VLANs setup in Bridge yet

Switch
No VLANs setup in Switch yet

IP
Addresss List
192.168.0.2/24, ether 1
192.168.1.1/24, bridge
192.168.20.1/24, VLAN 20 Internet
192.168.30.1/24, VLAN 30 Internet_isolated
192.168.40.1/24, VLAN 40 Network

DHCP Server:

  • 1 per network setup
  • Interfaces bridge and VLAN’s
  • Including pools

Firewall:
NAT
Chain: srcnat
Action: masquerade

Since I’m new to this (never did anything outside one 192.x.x.x network) I use the interface with WinBox.

Hope someone has the time and patience to help me out :slight_smile:

With kind regards,

Don