No DHCP on VLAN spanning multiple ports

RouterOS Beginner Basics
1

I've been pulling my hair out since about 3pm yesterday.

I reset my router, so I could do a clean configuration, and so far it PARTIALLY works.

Basically I have 1 bridge and 5 VLANs. 2 of the VLANs are tied to a single port each. Those two work perfectly, DHCP supplies an address and they can connect to the internet (well, the CAM-VLAN can't get to the internet, but it's not supposed to.

The other 3 VLANs can come from either ether1 or ether2. Ether1 and ether2 are connected to unmanaged switches. Nothing plugged into those switches gets an IP address.

I read through so many tutorials, and I feel like I'm missing something small.

Anyway, here's the config:

# 2025-11-10 10:31:35 by RouterOS 7.20.4
# software id = XXXXXX
#
# model = RB5009UPr+S+
# serial number = XXXXXXX
/interface bridge
add admin-mac=xx:xx:xx:xx:xx:xx auto-mac=no comment=defconf fast-forward=no \
    frame-types=admit-only-vlan-tagged name=bridge vlan-filtering=yes
/interface vlan
add interface=bridge name=CAM-VLAN vlan-id=20
add interface=bridge name=DL-VLAN vlan-id=40
add interface=bridge name=IOT-VLAN vlan-id=10
add interface=bridge name=MAIN-VLAN vlan-id=50
add interface=bridge name=MEDIA-VLAN vlan-id=30
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=MGMT
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=IOT-POOL ranges=192.168.10.2-192.168.10.254
add name=CAM-POOL ranges=192.168.20.2-192.168.20.254
add name=MEDIA-POOL ranges=192.168.30.2-192.168.30.254
add name=DL-POOL ranges=192.168.40.2-192.168.40.254
add name=MAIN-POOL ranges=192.168.50.2-192.168.50.254
/ip dhcp-server
add address-pool=default-dhcp interface=ether7 name=MGMT
add address-pool=IOT-POOL interface=IOT-VLAN name=IOT-DHCP
add address-pool=CAM-POOL interface=CAM-VLAN name=CAM-DHCP
add address-pool=MEDIA-POOL interface=MEDIA-VLAN name=MEDIA-DHCP
add address-pool=DL-POOL interface=DL-VLAN name=DL-DHCP
add address-pool=MAIN-POOL interface=MAIN-VLAN name=MAIN-DHCP
/disk settings
set auto-media-interface=bridge auto-media-sharing=yes auto-smb-sharing=yes
/interface bridge port
add bridge=bridge comment=defconf frame-types=admit-only-vlan-tagged \
    interface=ether1
add bridge=bridge comment=defconf frame-types=admit-only-vlan-tagged \
    interface=ether2
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether3 pvid=20
add bridge=bridge comment=defconf frame-types=admit-only-vlan-tagged \
    interface=ether4
add bridge=bridge comment=defconf frame-types=admit-only-vlan-tagged \
    interface=ether5
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether6 pvid=40
/ip neighbor discovery-settings
set discover-interface-list=MGMT
/ipv6 settings
set disable-ipv6=yes forward=no
/interface bridge vlan
add bridge=bridge comment=IOT-VLAN tagged=ether1,ether2,bridge vlan-ids=10
add bridge=bridge comment=CAM-VLAN tagged=bridge untagged=ether3 vlan-ids=20
add bridge=bridge comment=MEDIA-VLAN tagged=ether1,ether2,bridge vlan-ids=30
add bridge=bridge comment=DL-VLAN tagged=bridge untagged=ether6 vlan-ids=40
add bridge=bridge comment=MAIN-VLAN tagged=ether1,ether2,bridge vlan-ids=50
/interface list member
add interface=CAM-VLAN list=LAN
add comment=defconf interface=ether8 list=WAN
add interface=ether7 list=MGMT
add interface=MAIN-VLAN list=MGMT
add interface=ether7 list=LAN
add interface=IOT-VLAN list=LAN
add interface=MEDIA-VLAN list=LAN
add interface=DL-VLAN list=LAN
add interface=MAIN-VLAN list=LAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether7 network=\
    192.168.88.0
add address=192.168.10.1/24 comment=IOT-ADDR interface=IOT-VLAN network=\
    192.168.10.0
add address=192.168.20.1/24 comment=CAM-ADDR interface=CAM-VLAN network=\
    192.168.20.0
add address=192.168.30.1/24 comment=MEDIA-ADDR interface=MEDIA-VLAN network=\
    192.168.30.0
add address=192.168.40.1/24 comment=DL-ADDR interface=DL-VLAN network=\
    192.168.40.0
add address=192.168.50.1/24 comment=MAIN-ADDR interface=MAIN-VLAN network=\
    192.168.50.0
/ip dhcp-client
add comment=defconf interface=ether8
/ip dhcp-server network
add address=192.168.10.0/24 comment="IOT Network" dns-server=1.1.1.1 gateway=\
    192.168.10.1
add address=192.168.20.0/24 comment="CAM Network" dns-server=1.1.1.1 gateway=\
    192.168.20.1
add address=192.168.30.0/24 comment="MEDIA Network" dns-server=1.1.1.1 \
    gateway=192.168.30.1
add address=192.168.40.0/24 comment="DL Network" dns-server=1.1.1.1 gateway=\
    192.168.40.1
add address=192.168.50.0/24 comment="MAIN Network" dns-server=1.1.1.1 \
    gateway=192.168.50.1
add address=192.168.88.0/24 comment=defconf dns-server=1.1.1.1 gateway=\
    192.168.88.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan type=A
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked disabled=yes
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid disabled=yes
add action=accept chain=input comment="defconf: accept ICMP" disabled=yes \
    protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" disabled=yes \
    dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    disabled=yes in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    disabled=yes ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    disabled=yes ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related disabled=yes hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked disabled=yes
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid disabled=yes
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new disabled=yes in-interface-list=WAN
add action=accept chain=input comment="Allow Estab & Related" \
    connection-state=established,related
add action=accept chain=input comment="Allow LAN" in-interface-list=LAN
add action=accept chain=input comment="Allow MAIN-VLAN Full Access" \
    in-interface=MAIN-VLAN
add action=drop chain=input comment=Drop
add action=accept chain=forward comment="Allow Estab & Related" \
    connection-state=established,related
add action=accept chain=forward comment="LAN Internet Access only" \
    connection-state=new in-interface-list=LAN out-interface-list=WAN
add action=drop chain=forward comment=Drop
add action=drop chain=forward comment="Drop CAM from Internet" in-interface=\
    CAM-VLAN out-interface-list=WAN
add action=accept chain=forward comment="MAIN-VLAN inter-VLAN routing" \
    connection-state=new in-interface=MAIN-VLAN
add action=accept chain=forward comment="LAN Internet Access only" \
    connection-state=new in-interface-list=LAN out-interface-list=WAN
add action=drop chain=forward comment=Drop
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip smb shares
set [ find default=yes ] directory=flash/pub
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" \
    dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=America/Chicago
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=MGMT
2

Okay,,,

So it looks like you have trunk ports on 1,2,4,5 and only tagged vlans pass through these.
ether3 and ether6 are access ports going to dumb devices untagged on 20 and 40 respectively.

I note that 20,40 are not going to unmanaged switches.
You could simplify

/interface bridge vlan
add bridge=bridge tagged=ether1,ether2,bridge vlan-ids=10,30,50
add bridge=bridge comment=CAM-VLAN tagged=bridge untagged=ether3 vlan-ids=20
add bridge=bridge comment=DL-VLAN tagged=bridge untagged=ether6 vlan-ids=40

but thats personal preference.

Its your firewall rules that are really messy but ran out of time to review. ............
Will come back, but be advised there is no guarantee unmanaged switches will handle tagged frames properly and that could be the source of issues!!!

1 Like
3

Firewall rules fixed:

/ip firewall filter
{ default rules to keep }
add action=accept chain=input  connection-state=established,related,untracked
add action=drop chain=input  connection-state=invalid
add action=accept chain=input protocol=icmp
add action=accept chain=input comment=dst-address=127.0.0.1
( admin rules )
add action=accept chain=input comment="admin access" in-interface-list=MGMT
add action=accept chain=input comment="users2services"  in-interface-list=LAN
    dst-port=53,123 protocol=udp src-address=!192.168.20.0/24
add action=accept chain=input comment="users2services"  in-interface-list=LAN
    dst-port=53 protocol=tcp src-address=!192.168.20.0/24
add action=drop chain=input comment="drop all else"  { put this rule in this location but add as last rule to be entered in the config }
++++++++++++++++++++++++++++++++++++++++++++++++
add action=fasttrack-connection chain=forward connection-state=established,related 
add action=accept chain=forward connection-state=established,related,untracked
add action=drop chain=forward connection-state=invalid
add action=drop accept=forward comment="internet traffic" in-interface-list=LAN \
    out-interface-list=WAN src-address=!192.168.20.0/24
add action=accept action=forward comment="admin to vlans" in-interface-list=MGMT \
   out-interface-list=LAN
add action=accept action=forward comment="media to server"  dst-address=192.168.50.17 \ 
   src-address=192.168.30.0/24 
add action=accept chain=forward comment="port forwarding"  connection-nat-state=dstnat \
    disabled=yes  { enable if required or remove }
add action=drop chain=forward comment="drop all else"
1 Like
4

Okay, so I got all my VLAN's working now. Turns out I had to throw a bit more hardware at my network. So that's awesome. Now I'm trying to get a couple of firewall based issues worked out.

  • MAIN-VLAN can't access all the other VLANs as intended.

  • MEDIA-VLAN can't access a server on the MAIN-VLAN as intended.

  • My firewall rules are... A mess.

Here's the new config:

# 2025-11-10 20:25:36 by RouterOS 7.20.4
# software id = XXXX-XXXX
#
# model = RB5009UPr+S+
# serial number = XXXXXXXXX
/interface bridge
add admin-mac=XX:XX:XX:XX:XX:XX auto-mac=no comment=defconf fast-forward=no \
    frame-types=admit-only-vlan-tagged name=bridge vlan-filtering=yes
/interface vlan
add interface=bridge name=CAM-VLAN vlan-id=20
add interface=bridge name=DL-VLAN vlan-id=40
add interface=bridge name=IOT-VLAN vlan-id=10
add interface=bridge name=MAIN-VLAN vlan-id=50
add interface=bridge name=MEDIA-VLAN vlan-id=30
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=MGMT
add name=SERVER-ACCESS
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=IOT-POOL ranges=192.168.10.2-192.168.10.254
add name=CAM-POOL ranges=192.168.20.2-192.168.20.254
add name=MEDIA-POOL ranges=192.168.30.2-192.168.30.254
add name=DL-POOL ranges=192.168.40.2-192.168.40.254
add name=MAIN-POOL ranges=192.168.50.2-192.168.50.254
/ip dhcp-server
# Interface not running
add address-pool=default-dhcp interface=ether7 name=MGMT
add address-pool=IOT-POOL interface=IOT-VLAN name=IOT-DHCP
add address-pool=CAM-POOL interface=CAM-VLAN name=CAM-DHCP
add address-pool=MEDIA-POOL interface=MEDIA-VLAN name=MEDIA-DHCP
add address-pool=DL-POOL interface=DL-VLAN name=DL-DHCP
add address-pool=MAIN-POOL interface=MAIN-VLAN name=MAIN-DHCP
/disk settings
set auto-media-interface=bridge auto-media-sharing=yes auto-smb-sharing=yes
/interface bridge port
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether1 pvid=50
add bridge=bridge comment=defconf interface=ether2 pvid=50
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether3 pvid=20
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether4 pvid=30
add bridge=bridge comment=defconf frame-types=admit-only-vlan-tagged \
    interface=ether5
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether6 pvid=40
/ip neighbor discovery-settings
set discover-interface-list=MGMT
/ipv6 settings
set disable-ipv6=yes forward=no
/interface bridge vlan
add bridge=bridge comment=IOT-VLAN tagged=bridge,ether2 vlan-ids=10
add bridge=bridge comment=CAM-VLAN tagged=bridge,ether2 untagged=ether3 \
    vlan-ids=20
add bridge=bridge comment=MEDIA-VLAN tagged=bridge,ether2 untagged=ether4 \
    vlan-ids=30
add bridge=bridge comment=DL-VLAN tagged=bridge untagged=ether6 vlan-ids=40
add bridge=bridge comment=MAIN-VLAN tagged=bridge,ether2 untagged=ether1 \
    vlan-ids=50
/interface list member
add interface=CAM-VLAN list=LAN
add comment=defconf interface=ether8 list=WAN
add interface=ether7 list=MGMT
add interface=MAIN-VLAN list=MGMT
add interface=ether7 list=LAN
add interface=IOT-VLAN list=LAN
add interface=MEDIA-VLAN list=LAN
add interface=DL-VLAN list=LAN
add interface=MAIN-VLAN list=LAN
add interface=MEDIA-VLAN list=SERVER-ACCESS
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether7 network=\
    192.168.88.0
add address=192.168.10.1/24 comment=IOT-ADDR interface=IOT-VLAN network=\
    192.168.10.0
add address=192.168.20.1/24 comment=CAM-ADDR interface=CAM-VLAN network=\
    192.168.20.0
add address=192.168.30.1/24 comment=MEDIA-ADDR interface=MEDIA-VLAN network=\
    192.168.30.0
add address=192.168.40.1/24 comment=DL-ADDR interface=DL-VLAN network=\
    192.168.40.0
add address=192.168.50.1/24 comment=MAIN-ADDR interface=MAIN-VLAN network=\
    192.168.50.0
/ip dhcp-client
add comment=defconf interface=ether8
/ip dhcp-server lease
add address=192.168.50.24 client-id=1:2:26:25:2:3:de mac-address=\
    02:26:25:02:03:DE server=MAIN-DHCP
add address=192.168.50.69 client-id=1:e4:5f:1:ad:ce:39 mac-address=\
    E4:5F:01:AD:CE:39 server=MAIN-DHCP
add address=192.168.50.8 client-id=\
    ff:f3:7c:4a:42:0:1:0:1:2d:5a:9d:38:d8:9e:f3:7c:4a:42 mac-address=\
    D8:9E:F3:7C:4A:42 server=MAIN-DHCP
add address=192.168.50.17 client-id=\
    ff:e0:5:e8:57:0:1:0:1:2f:4:69:e7:a8:b8:e0:5:e8:57 mac-address=\
    A8:B8:E0:05:E8:57 server=MAIN-DHCP
add address=192.168.40.17 client-id=\
    ff:e0:5:e8:58:0:1:0:1:2f:5:70:74:a8:b8:e0:5:e8:58 mac-address=\
    A8:B8:E0:05:E8:58 server=DL-DHCP
add address=192.168.20.84 client-id=\
    ff:e8:47:ae:5e:0:1:0:1:30:9b:fd:1e:2:26:25:2:3:e1 mac-address=\
    70:B5:E8:47:AE:5E server=CAM-DHCP
add address=192.168.50.84 client-id=\
    ff:25:2:3:e1:0:1:0:1:30:9b:fd:1e:2:26:25:2:3:e1 mac-address=\
    02:26:25:02:03:E1 server=MAIN-DHCP
/ip dhcp-server network
add address=192.168.10.0/24 comment="IOT Network" dns-server=1.1.1.1 gateway=\
    192.168.10.1
add address=192.168.20.0/24 comment="CAM Network" dns-server=1.1.1.1 gateway=\
    192.168.20.1
add address=192.168.30.0/24 comment="MEDIA Network" dns-server=1.1.1.1 \
    gateway=192.168.30.1
add address=192.168.40.0/24 comment="DL Network" dns-server=1.1.1.1 gateway=\
    192.168.40.1
add address=192.168.50.0/24 comment="MAIN Network" dns-server=1.1.1.1 \
    gateway=192.168.50.1
add address=192.168.88.0/24 comment=defconf dns-server=1.1.1.1 gateway=\
    192.168.88.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan type=A
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=forward comment="MAIN-VLAN inter-VLAN routing" \
    connection-state=new in-interface-list=MGMT out-interface-list=LAN
add action=accept chain=forward comment="Allow access to server on MAIN-VLAN" \
    dst-address=192.168.50.17 in-interface-list=SERVER-ACCESS
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=drop chain=forward comment="Drop CAM from Internet" in-interface=\
    CAM-VLAN out-interface-list=WAN
add action=accept chain=forward comment="LAN Internet Access only" \
    connection-state=new in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="Allow MAIN-VLAN Full Access" \
    in-interface-list=MGMT
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=accept chain=input comment="Allow LAN" in-interface-list=LAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip smb shares
set [ find default=yes ] directory=flash/pub
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" \
    dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=America/Chicago
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=MGMT
5

I already fixed most of your issues and you ignored it.
I have gone back to my post above and added the only one rule that needed to be added based on the new requirement of media lan accessing a server.
Get rid of all that ipv6 garbage as you already disabled it in settings. So no address lists for ipv6 required and as a precautionary measure only two firewall rules .....
add chain=input action=drop
add chain=forward action=drop

By the way, Interface lists are generally for TWO or more subnets, if its a single subnet just use the subnet address....

6

Thank you for your help. I did use the configs you listed, I was just a little scared to wipe out the firewall rules first. But they are in place. I am still having some issues with the inter-vlan connections (can’t access the other VLANs from MAIN, can’t access the server in MAIN from MEDIA)

here’s the new config:

/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="admin access" in-interface-list=MGMT
add action=accept chain=input comment=users2services dst-port=53,123 \
    in-interface-list=LAN protocol=udp src-address=!192.168.20.0/24
add action=accept chain=input comment=users2services dst-port=53 \
    in-interface-list=LAN protocol=tcp src-address=!192.168.20.0/24
add action=drop chain=input comment="drop all else"
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "accept established, related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="drop invalid" connection-state=invalid
add action=accept chain=forward comment="internet traffic" connection-state=\
    new in-interface-list=LAN out-interface-list=WAN src-address=\
    !192.168.20.0/24
add action=accept chain=forward comment="admin to vlans" in-interface-list=\
    MGMT out-interface-list=LAN
add action=accept chain=forward comment="media to server" dst-address=\
    192.168.50.17 src-address=192.168.30.0/24
add action=drop chain=forward comment="drop all else"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
7

The firewall rules seem good to me, so not sure why you are connecting.........

8

Everything else works great. Just can’t access other VLANs from MAIN and can’t access the server from MEDIA. Thank you so much for your help.

9

@anav Is it possible that the VLAN tagging could be a reason that MAIN can’t access the other VLANS?

Current Config:

# 2025-11-12 17:29:33 by RouterOS 7.20.4
# software id = XXXX-XXXX
#
# model = RB5009UPr+S+
# serial number = XXXXXXXXXXX
/interface bridge
add admin-mac=XX:XX:XX:XX:XX:XX auto-mac=no comment=defconf fast-forward=no \
    name=bridge vlan-filtering=yes
/interface vlan
add interface=bridge name=CAM-VLAN vlan-id=20
add interface=bridge name=DL-VLAN vlan-id=40
add interface=bridge name=IOT-VLAN vlan-id=10
add interface=bridge name=MAIN-VLAN vlan-id=50
add interface=bridge name=MEDIA-VLAN vlan-id=30
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=MGMT
add name=NOT-MGMT
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=IOT-POOL ranges=192.168.10.2-192.168.10.254
add name=CAM-POOL ranges=192.168.20.2-192.168.20.254
add name=MEDIA-POOL ranges=192.168.30.2-192.168.30.254
add name=DL-POOL ranges=192.168.40.2-192.168.40.254
add name=MAIN-POOL ranges=192.168.50.2-192.168.50.254
/ip dhcp-server
# Interface not running
add address-pool=default-dhcp interface=ether7 name=MGMT
add address-pool=IOT-POOL interface=IOT-VLAN name=IOT-DHCP
add address-pool=CAM-POOL interface=CAM-VLAN name=CAM-DHCP
add address-pool=MEDIA-POOL interface=MEDIA-VLAN name=MEDIA-DHCP
add address-pool=DL-POOL interface=DL-VLAN name=DL-DHCP
add address-pool=MAIN-POOL interface=MAIN-VLAN name=MAIN-DHCP
/disk settings
set auto-media-interface=bridge auto-media-sharing=yes auto-smb-sharing=yes
/interface bridge port
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether1 pvid=50
add bridge=bridge comment=defconf interface=ether2 pvid=50
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether3 pvid=20
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether4 pvid=30
add bridge=bridge comment=defconf frame-types=admit-only-vlan-tagged \
    interface=ether5
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether6 pvid=40
/ip neighbor discovery-settings
set discover-interface-list=MGMT
/ipv6 settings
set disable-ipv6=yes forward=no
/interface bridge vlan
add bridge=bridge comment=IOT-VLAN tagged=bridge,ether2 vlan-ids=10
add bridge=bridge comment=CAM-VLAN tagged=bridge,ether2 untagged=ether3 \
    vlan-ids=20
add bridge=bridge comment=MEDIA-VLAN tagged=bridge,ether2 untagged=ether4 \
    vlan-ids=30
add bridge=bridge comment=DL-VLAN tagged=bridge untagged=ether6,ether1 \
    vlan-ids=40
add bridge=bridge comment=MAIN-VLAN tagged=bridge,ether2 untagged=\
    ether1,ether4 vlan-ids=50
/interface list member
add interface=CAM-VLAN list=LAN
add comment=defconf interface=ether8 list=WAN
add interface=ether7 list=MGMT
add interface=MAIN-VLAN list=MGMT
add interface=ether7 list=LAN
add interface=IOT-VLAN list=LAN
add interface=MEDIA-VLAN list=LAN
add interface=DL-VLAN list=LAN
add interface=MAIN-VLAN list=LAN
add interface=CAM-VLAN list=NOT-MGMT
add interface=MEDIA-VLAN list=NOT-MGMT
add interface=DL-VLAN list=NOT-MGMT
add interface=IOT-VLAN list=NOT-MGMT
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether7 network=\
    192.168.88.0
add address=192.168.10.1/24 comment=IOT-ADDR interface=IOT-VLAN network=\
    192.168.10.0
add address=192.168.20.1/24 comment=CAM-ADDR interface=CAM-VLAN network=\
    192.168.20.0
add address=192.168.30.1/24 comment=MEDIA-ADDR interface=MEDIA-VLAN network=\
    192.168.30.0
add address=192.168.40.1/24 comment=DL-ADDR interface=DL-VLAN network=\
    192.168.40.0
add address=192.168.50.1/24 comment=MAIN-ADDR interface=MAIN-VLAN network=\
    192.168.50.0
/ip dhcp-client
add comment=defconf interface=ether8
/ip dhcp-server lease
add address=192.168.50.24 client-id=1:2:26:25:2:3:de mac-address=\
    02:26:25:02:03:DE server=MAIN-DHCP
add address=192.168.50.69 client-id=1:e4:5f:1:ad:ce:39 mac-address=\
    E4:5F:01:AD:CE:39 server=MAIN-DHCP
add address=192.168.50.8 client-id=\
    ff:f3:7c:4a:42:0:1:0:1:2d:5a:9d:38:d8:9e:f3:7c:4a:42 mac-address=\
    D8:9E:F3:7C:4A:42 server=MAIN-DHCP
add address=192.168.50.17 client-id=\
    ff:e0:5:e8:57:0:1:0:1:2f:4:69:e7:a8:b8:e0:5:e8:57 mac-address=\
    A8:B8:E0:05:E8:57 server=MAIN-DHCP
add address=192.168.40.17 client-id=\
    ff:e0:5:e8:58:0:1:0:1:2f:5:70:74:a8:b8:e0:5:e8:58 mac-address=\
    A8:B8:E0:05:E8:58 server=DL-DHCP
add address=192.168.20.84 client-id=\
    ff:e8:47:ae:5e:0:1:0:1:30:9b:fd:1e:2:26:25:2:3:e1 mac-address=\
    70:B5:E8:47:AE:5E server=CAM-DHCP
add address=192.168.50.84 client-id=\
    ff:25:2:3:e1:0:1:0:1:30:9b:fd:1e:2:26:25:2:3:e1 mac-address=\
    02:26:25:02:03:E1 server=MAIN-DHCP
/ip dhcp-server network
add address=192.168.10.0/24 comment="IOT Network" dns-server=1.1.1.1 gateway=\
    192.168.10.1
add address=192.168.20.0/24 comment="CAM Network" dns-server=1.1.1.1 gateway=\
    192.168.20.1
add address=192.168.30.0/24 comment="MEDIA Network" dns-server=1.1.1.1 \
    gateway=192.168.30.1
add address=192.168.40.0/24 comment="DL Network" dns-server=1.1.1.1 gateway=\
    192.168.40.1
add address=192.168.50.0/24 comment="MAIN Network" dns-server=1.1.1.1 \
    gateway=192.168.50.1
add address=192.168.88.0/24 comment=defconf dns-server=1.1.1.1 gateway=\
    192.168.88.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan type=A
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="admin access" in-interface-list=MGMT
add action=accept chain=input comment=users2services disabled=yes dst-port=\
    53,123 in-interface-list=LAN protocol=udp src-address=!192.168.20.0/24
add action=accept chain=input comment=users2services disabled=yes dst-port=53 \
    in-interface-list=LAN protocol=tcp src-address=!192.168.20.0/24
add action=drop chain=input comment="drop all else"
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "accept established, related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="drop invalid" connection-state=invalid
add action=accept chain=forward comment="internet traffic" connection-state=\
    new in-interface-list=LAN out-interface-list=WAN src-address=\
    !192.168.20.0/24
add action=accept chain=forward comment="admin to vlans" connection-state=new \
    in-interface=MAIN-VLAN out-interface-list=LAN
add action=accept chain=forward comment="media to server" connection-state=\
    new dst-address=192.168.50.17 in-interface=MEDIA-VLAN
add action=accept chain=forward comment="defconf:port forwarding" \
    connection-nat-state=dstnat
add action=drop chain=forward comment="drop all else"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip smb shares
set [ find default=yes ] directory=flash/pub
/system clock
set time-zone-name=America/Chicago
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=MGMT
10

Something is screwy. Lets recap to ensure we are on the same page.

Ether1 and Ether2 are plugged into unmanaged switches and you have them setup as trunk ports.
As I stated that has an outside of chance of actually working and it likely the cause of any connectivity issues from those ports, just get some cheap netgear or dlink or tplink managed switches.

You have mucked up bridge ports thats for sure...........
Perhaps its now what you really wanted??

ether1 is now ONLY an access port ( any traffic coming into that that port is getting tagged with vlan50)
ether2 is now ONLY an access port ( any traffic coming into that port is getting tagged with VLAN50)

ether 3 is an access port for vlan-id=20
ether4 is an access port for vlan-id=30
ether5 is a trunk port
ether6 is an access port for vlan-id=60
+++++++++++++++++++++++++++++

According to your /interface bridge vlan settings the following would be true, if congruent with the other setttings.

  • ether2 is a trunk port carrying 10,20,30,50
  • ether 3 is an access port for vlan-id=20
  • ether 6 is an access port for vlan-id=40
  • ether1 is an access port for vlan50
  • ether4 is an access port for vlan50
  • ether5 is MIA. ????
  • ether6 is MIA ????
    ++++++++++++++++++++++++++++

Summary only ether1 and ether3 tell a consistent story.............
So yes botched/borked, etc.

Best tell what is connected to each port and what is supposed to flow over that port to fix this.

11
  • ether 1 is plugged into an unmanaged switch, set up as an access port for vlan50.
  • ether 2 is plugged into an unmanaged poe switch that has all my APs plugged into it. The APs are managed, and have multiple SSIDs that correspond to vlan50, vlan30, vlan20 and vlan10. The APs tag the correct VLANs
  • ether 3 is attached to an unmanaged switch, set up as an access port for vlan20.
  • ether 4 is attached to an unmanaged switch, set up as an access port for vlan30.
  • ether 5 is unused (for now)
  • ether 6 is attached to a server, set up as an access port for vlan40.
  • ether 7 is the management port
  • ether 8 is WAN
12

Cool, just be aware that ether2 is going to be problematic as it may may not be able to consider the frames transparently in that either all frames get passed with tags in them, or they dont.
So we have to assume it will work............. we setup the bridge appropriatly and if it doesnt, then use it for only one vlan or get a managed poe switch.

By the way, its important to know what type of smart APs you are using??

13

They are Omada EAP610s with a docker container hosting the Omada Controller. So far they seem to be routing properly. The router is showing the connections attached to the correct VLANs.

The only thing on ether2 will be the APs.

14

Changes:

  1. added frame types on bridge for a bit better security.
  2. Changed name of management server to MGMT-DHCP
    ( we dont want duplicate names of any sort on the router, plus tis consistent nomenclature )
  3. Fixed interface bridge ports
  4. Adjust interface vlan
  • gross error is that you had ether1 untagged for vlan-id=40 and it should be vlan-id=50.
  • gross erros is that you had ether4 untagged for vlan-id=50 and should be vlan-id=30

  1. Get rid of this static DNS setting. (look for static on side selection in winbox)
    /ip dns static
    add address=192.168.88.1 comment=defconf name=router.lan type=A

  2. WHY did you disable access to DNS for your users in the input chain rule??????? ........ The only one that doesnt need it is CAM because YOU STATED, they should not get internet. I had it all setup already :frowning:

  3. Stating new connection state in forward chain rules is redundant ( aka useless and removed )

  4. Rule to allow admin to all vlans was wrong, I had it fixed already once, done again :-(.

  5. Got rid of un needed interface list entry of not mgmt.

interface bridge
add admin-mac=XX:XX:XX:XX:XX:XX auto-mac=no comment=defconf fast-forward=no \
    name=bridge vlan-filtering=yes  frame-types=admit-only-vlan-tagged
/interface vlan
add interface=bridge name=IOT-VLAN vlan-id=10
add interface=bridge name=CAM-VLAN vlan-id=20
add interface=bridge name=MEDIA-VLAN vlan-id=30
add interface=bridge name=DL-VLAN vlan-id=40
add interface=bridge name=MAIN-VLAN vlan-id=50
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=MGMT
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=IOT-POOL ranges=192.168.10.2-192.168.10.254
add name=CAM-POOL ranges=192.168.20.2-192.168.20.254
add name=MEDIA-POOL ranges=192.168.30.2-192.168.30.254
add name=DL-POOL ranges=192.168.40.2-192.168.40.254
add name=MAIN-POOL ranges=192.168.50.2-192.168.50.254
/ip dhcp-server
add address-pool=default-dhcp interface=ether7 name=MGMT-DHCP
add address-pool=IOT-POOL interface=IOT-VLAN name=IOT-DHCP
add address-pool=CAM-POOL interface=CAM-VLAN name=CAM-DHCP
add address-pool=MEDIA-POOL interface=MEDIA-VLAN name=MEDIA-DHCP
add address-pool=DL-POOL interface=DL-VLAN name=DL-DHCP
add address-pool=MAIN-POOL interface=MAIN-VLAN name=MAIN-DHCP
/disk settings
set auto-media-interface=bridge auto-media-sharing=yes auto-smb-sharing=yes
/interface bridge port
add bridge=bridge comment="access port to switch - Main" frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether1 pvid=50
add bridge=bridge comment="trunk to poe switch" frame-types=\
    admit-only-vlan-tagged interface=ether2 
add bridge=bridge comment="access port - CAM" defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether3 pvid=20
add bridge=bridge comment="access port - Media"  frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether4 pvid=30
add bridge=bridge comment="access port - Server DL" defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether6 pvid=40
/ip neighbor discovery-settings
set discover-interface-list=MGMT
/ipv6 settings
set disable-ipv6=yes forward=no
/interface bridge vlan
add bridge=bridge comment=IOT-VLAN tagged=bridge,ether2 vlan-ids=10
add bridge=bridge comment=CAM-VLAN tagged=bridge,ether2 untagged=ether3 \
    vlan-ids=20
add bridge=bridge comment=MEDIA-VLAN tagged=bridge,ether2 untagged=ether4 \
    vlan-ids=30
add bridge=bridge comment=DL-VLAN tagged=bridge untagged=ether6 \
    vlan-ids=40
add bridge=bridge comment=MAIN-VLAN tagged=bridge,ether2 untagged=\
    ether1 vlan-ids=50
/interface list member
add comment=defconf interface=ether8 list=WAN
add interface=IOT-VLAN list=LAN
add interface=CAM-VLAN list=LAN
add interface=MEDIA-VLAN list=LAN
add interface=DL-VLAN list=LAN
add interface=MAIN-VLAN list=LAN
add interface=ether7 list=LAN
++++++++++++++++++++++++++
add interface=MAIN-VLAN list=MGMT
add interface=ether7 list=MGMT
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether7 network=\
    192.168.88.0
add address=192.168.10.1/24 comment=IOT-ADDR interface=IOT-VLAN network=\
    192.168.10.0
add address=192.168.20.1/24 comment=CAM-ADDR interface=CAM-VLAN network=\
    192.168.20.0
add address=192.168.30.1/24 comment=MEDIA-ADDR interface=MEDIA-VLAN network=\
    192.168.30.0
add address=192.168.40.1/24 comment=DL-ADDR interface=DL-VLAN network=\
    192.168.40.0
add address=192.168.50.1/24 comment=MAIN-ADDR interface=MAIN-VLAN network=\
    192.168.50.0
/ip dhcp-client
add comment=defconf interface=ether8
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=1.1.1.1 gateway=\
    192.168.88.1
add address=192.168.10.0/24 comment="IOT Network" dns-server=1.1.1.1 gateway=\
    192.168.10.1
add address=192.168.20.0/24 comment="CAM Network" dns-server=1.1.1.1 gateway=\
    192.168.20.1
add address=192.168.30.0/24 comment="MEDIA Network" dns-server=1.1.1.1 \
    gateway=192.168.30.1
add address=192.168.40.0/24 comment="DL Network" dns-server=1.1.1.1 gateway=\
    192.168.40.1
add address=192.168.50.0/24 comment="MAIN Network" dns-server=1.1.1.1 \
    gateway=192.168.50.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="admin access" in-interface-list=MGMT
add action=accept chain=input comment=users2services  dst-port=\
    53,123 in-interface-list=LAN protocol=udp src-address=!192.168.20.0/24
add action=accept chain=input comment=users2services  dst-port=53 \
    in-interface-list=LAN protocol=tcp src-address=!192.168.20.0/24
add action=drop chain=input comment="drop all else"
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "accept established, related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="drop invalid" connection-state=invalid
add action=accept chain=forward comment="internet traffic" in-interface-list=LAN \
    out-interface-list=WAN src-address=!192.168.20.0/24
add action=accept chain=forward comment="admin to vlans" in-interface-list=MGMT \
    out-interface-list=LAN
add action=accept chain=forward comment="media to server" connection-state=\
    new dst-address=192.168.50.17/32 in-interface=MEDIA-VLAN
add action=accept chain=forward comment="defconf:port forwarding" \
    connection-nat-state=dstnat
add action=drop chain=forward comment="drop all else"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip smb shares
set [ find default=yes ] directory=flash/pub
/system clock
set time-zone-name=America/Chicago
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=MGMT
15

is this:

add action=accept chain=forward comment="media to server" connection-state=\ new dst-address=192.168.50.17/32 in-interface=MEDIA-VLAN

supposed to be this:

add action=accept chain=forward comment="media to server" connection-state=\ new dst-address=192.168.50.17/24 in-interface=MEDIA-VLAN

I tried using 192.168.50.17/32but winbox didn’t like it.

16

Looks like MAIN to all is working now!

As far as media to server on main, it’s still not working. Do I need to do anything special to connect to specific ports?

I really appreciate all the help!

17

Okay if winbox didnt like the IP/32, thats fine just leave it without the /32, so should be.

add action=accept chain=forward comment="media to server" dst-address=192.168.50.17 \
     in-interface=MEDIA-VLAN

I am starting to suspect that its the server that is blocking traffic because the IP is not in the same subnet as what the server is on. Some sort of windows firewall blocking on the device etc...

To double check allow the media to the entire subnet and I bet the result will be the same.

add action=accept chain=forward comment="media to server" dst-address=192.168.50.0/24
src-address=192.168.30.0/24

18

Update to allowing full subnet to subnet, no change.

It wouldn’t be anything windows related as everything on the network is Apple or Linux, or Android. And the two things I’m testing to communicate with are a Linux desktop to a Linux server. If I put that same Linux desktop back on MAIN it can communicate with a Linux server on DL.

19

Yes, anything in MAIN should be able to reach any other VLAN due to this rule.....

add action=accept chain=forward comment="admin to vlans" in-interface-list=MGMT \
    out-interface-list=LAN

and that MAIN-VLAN is part of the MGMT list!

add interface=MAIN-VLAN list=MGMT

There is nothing in the RoS setup that is blocking access to the Main Server from the MEDIA vlan, I am not sure why you mention the DL vlan ???

Next test is to disable temporarily the drop all rule at the end of the forward chain. Then see if the desktop on the Median VLAN can reach the server on MAIN.

It should not make any difference, because we specifically allow that traffic in the firewall rule.

After you get no joy there, then its time to do packet sniffing.
First on the IP address you are using from the media vlan.
Then on the IP address of the server.

20

Also post latest config.