Folks,



I am new to Mikrotik and getting a little frustrated with the documentation and the over abundance of options and lack of clarity in some of the documentation. The bridge concept (bridge VLAN fltering) I figured out after pounding my head and realizing that the RB4011 has low-level realtek switch chips and hence no HW offload. So I got past all of that documentation sending me sideways. So I am stuck getting proper management VLAN access to winbox from my router : RB4011 (RouterOS 6.47.7) internally to the devices or downstream from the new switch css326-24G (Swos 2.12)

I have my VLANs setup and working properly for production nets, left is access to setting up the "recommended" bridges and switching for management VLANS where I want to accomplish seemingly easy config but I can only get access to the router through a port which has by default VLAN 1 untagged on it.

Here is what I am trying to accomplish:

Setup a management VLAN across both devices, on workstation on an access port in the switch, another on the RB4011 for "emergency" and a third port for non-bridge "911 emergencies".

Current Config:
By default the IP of the RB4011 is 72.1 and the switch 72.2. The default address table has it in there and running in a switch port (not the bridge)
I have the management LAN (1372 - Dot 13) on the router on ether 9 (untagged), the bridge, SFP (tagged). On the downstream switch I have a hybrid port setup (untagged vlan10, tagged 1372) and have VLAN tagging setup on the workstation and the untagged VLAN. Untagged works fine, tagged no.


Neither the ether 9 nor the tagged workstation can get access to the router (.1) but can to the switch (.2) I can ping .1 but remon/connect no go.
I put Port 10 (ether10) to VLAN 1 untagged and this is the only way I can get access to winbox.

Question1: Is this following the best practices, and if not what is preferred.
Question 2:: What am I doing wrong here? I am a bit confused on access to router service when overlaying bridge/VLAN for management. I would like to not use VLAN 1 for anything.
Question 3: I would like to make ether 8 the "911 emergency" port, so I took it out of the bridge and left it in a switch group. However no matter what I do I cannot access this port, and it doesnt connect to anything. I noticed the default fw rules refer to LAN as an interface-group of the bridge, and that may be an issue but I am a noob here with mikrotik.

Thanks

VLAN table:

BRIDGE VLAN-IDS CURRENT-TAGGED CURRENT-UNTAGGED

0 Br_VLAN 10 Br_VLAN
SFP_Switch
1 Br_VLAN 50 Br_VLAN P2_Obihai
SFP_Switch P5_Inverter
P3_Alarm
2 Br_VLAN 1372 Br_VLAN
SFP_Switch
3 Br_Emerg 1
4 D Br_VLAN 1 Br_VLAN
SFP_Switch
P10_BridgeAccess


Networks: (redacted WAN, working)

ADDRESS NETWORK INTERFACE

0 ;;; defconf
192.168.72.1/24 192.168.72.0 P2_Obihai
1 192.168.50.1/24 192.168.50.0 VLAN_50
2 192.168.10.1/24 192.168.10.0 VLAN_10
3 192.168.13.1/24 192.168.13.0 VLAN_MGMT

Firewall (I kept it basic for now)

0 D ;;; special dummy rule to show fasttrack counters
chain=forward action=passthrough

1 ;;; defconf: accept established,related,untracked
chain=input action=accept connection-state=established,related,untracked

2 ;;; defconf: drop invalid
chain=input action=drop connection-state=invalid

3 ;;; defconf: accept ICMP
chain=input action=accept protocol=icmp

4 ;;; defconf: accept to local loopback (for CAPsMAN)
chain=input action=accept dst-address=127.0.0.1

5 ;;; defconf: drop all not coming from LAN
chain=input action=drop in-interface-list=!LAN

6 ;;; defconf: fasttrack
chain=forward action=fasttrack-connection connection-state=established,related

7 ;;; defconf: accept established,related, untracked
chain=forward action=accept connection-state=established,related,untracked

8 ;;; defconf: accept in ipsec policy
chain=forward action=accept ipsec-policy=in,ipsec

9 ;;; defconf: accept out ipsec policy
chain=forward action=accept ipsec-policy=out,ipsec

10 ;;; defconf: drop invalid
chain=forward action=drop connection-state=invalid

11 ;;; defconf: drop all from WAN not DSTNATed
chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN

I think most of us “old farts” will find configuration export more readable than some random printouts. So kindly post output of /export hide-sensitive (at least all /interface and most of /ip section).

Also read this resource on vlan bridge filtering if that is what you intend on using…
http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1

I wont look at a partial config …waste of my time as I am not as skilled at seeing hidden problems…
/export hide-sensitive file=anynameyouwish

Thank you folks. I read the referred document a few times to understand the concepts. They dont seem to vary dramatically from openwrt that I worked w/ in the past on ARM platforms (at least brx platforms). I did notice the mtu of the management VLAN was fat-fingered. I will fix that.

Here you go:

model = RB4011iGS+

/interface bridge
add name=Br_Emerg
add admin-mac=48:8F:5A:A3:0E:82 auto-mac=no comment=defconf name=Br_VLAN vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name=P1_Fios_WAN
set [ find default-name=ether2 ] name=P2_Obihai
set [ find default-name=ether3 ] name=P3_Alarm
set [ find default-name=ether4 ] name=P4_NAS
set [ find default-name=ether5 ] name=P5_Inverter
set [ find default-name=ether6 ] name=P6_Camera
set [ find default-name=ether7 ] name=P7_Pool
set [ find default-name=ether8 ] name=P8_Inactive
set [ find default-name=ether9 ] name=P9_MGMT
set [ find default-name=ether10 ] name=P10_BridgeAccess
set [ find default-name=sfp-sfpplus1 ] name=SFP_Switch
/interface vlan
add interface=Br_VLAN name=VLAN_10 vlan-id=10
add interface=Br_VLAN name=VLAN_50 vlan-id=50
add interface=Br_Emerg name=VLAN_EMERG vlan-id=1
add interface=Br_VLAN mtu=1372 name=VLAN_MGMT vlan-id=1372
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip dhcp-server
add disabled=no interface=Br_VLAN name=defconf
/ip pool
add name=Pool_10 ranges=192.168.10.201-192.168.10.254
add name=Pool_50 ranges=192.168.50.10-192.168.50.30
add name=Pool_MGMT ranges=192.168.13.101-192.168.13.105
/ip dhcp-server
address=192.168.13.1/24 interface=VLAN_MGMT network=192.168.13.0
/ip dhcp-client
add comment=defconf disabled=no interface=P1_Fios_WAN
/ip dhcp-server config
set store-leases-disk=12h
/ip dhcp-server network
add address=192.168.10.0/24 dns-server=9.9.9.11 gateway=192.168.10.1
add address=192.168.13.0/24 dns-server=9.9.9.11 gateway=192.168.13.1
add address=192.168.50.0/24 dns-server=9.9.9.11 gateway=192.168.50.1
add address=192.168.72.0/24 comment=defconf dns-server=9.9.9.11 gateway=192.168.72.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=9.9.9.11

/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat src-address=192.168.10.0/24
add action=masquerade chain=srcnat src-address=192.168.50.0/24
add action=masquerade chain=srcnat src-address=192.168.13.0/24
/system clock
set time-zone-name=America/New_York
/system identity
set name=Dave_Router
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool romon
set enabled=yes

You may have looked at document linked by @anav, but you certainly did not follow it. One of messages is to use single bridge. And you’re missing complete setup sections /inteface bridge port and /interface bridge vlan. A lot of other config is missing as well, e.g. /ip address …

In addition you also used vlan1 which should be left alone as this is handled automagically by the mikrotik.
The important thing is to ensure your managment vlan is on all the trunk ports to other smart devices for example.
Instead of vlan1 use vlan10 or 100 or 11 or 101, you get the idea… lol

What is the purpose of these
add action=masquerade chain=srcnat src-address=192.168.10.0/24
add action=masquerade chain=srcnat src-address=192.168.50.0/24
add action=masquerade chain=srcnat src-address=192.168.13.0/24

You are missing one pool and three dhcp-server settings. mkx covered the rest…

I did not attach BR_Emerg to anything except port 8 which is meant for "911 access", I kept that as a placeholder to potentially have MAC-access to winbox if the main bridge BR_VLAN became inaccessible to me messing up the main bridge. One of my questions for "emergency access" is how should I configure it? So I have 9 of the 10 ports (and SFP) in the BR_VLAN, if I choose ether 8 as being the "emergency" port, how should I configure, and I assume from your laughing at me that it should not be in a bridge it this correct?

Sorry I am new to this nomenclature and have been doing networking for 25 years, so please be gentle. I am 4 days into Mikrotik, and I want to enjoy the platform guys and I hope this isn't a "cool kids" group where shaming is the norm.

Requested information:

PORT (Using port 9 as the access port for management VLAN)

INTERFACE BRIDGE HW PVID PRIORITY PATH-COST INTERNAL-PATH-COST HORIZON

0 ;;; defconf
P2_Obihai Br_VLAN no 50 0x80 10 10 none
1 ;;; defconf
P3_Alarm Br_VLAN no 50 0x80 10 10 none
2 I ;;; defconf
P4_NAS Br_VLAN no 10 0x80 10 10 none
3 ;;; defconf
P5_Inverter Br_VLAN no 50 0x80 10 10 none
4 I ;;; defconf
P6_Camera Br_VLAN no 50 0x80 10 10 none
5 I ;;; defconf
P7_Pool Br_VLAN no 50 0x80 10 10 none
6 ;;; defconf
P10_BridgeAccess Br_VLAN no 1 0x80 10 10 none
7 ;;; defconf
SFP_Switch Br_VLAN no 1 0x80 10 10 none
8 I P9_MGMT Br_VLAN yes 1372 0x80 10 10 none
9 I P8_Inactive Br_Emerg yes 1 0x80 10 10 none

VLAN:

BRIDGE VLAN-IDS CURRENT-TAGGED CURRENT-UNTAGGED

0 Br_VLAN 10 Br_VLAN P4_NAS
SFP_Switch
1 Br_VLAN 50 Br_VLAN P2_Obihai
SFP_Switch P3_Alarm
P5_Inverter
2 Br_VLAN 1372 Br_VLAN
SFP_Switch
3 Br_Emerg 1
4 D Br_VLAN 1 Br_VLAN
SFP_Switch
P10_BridgeAccess


IP Address:

ADDRESS NETWORK INTERFACE

0 ;;; defconf
192.168.72.1/24 192.168.72.0 P2_Obihai
1 192.168.50.1/24 192.168.50.0 VLAN_50
2 192.168.10.1/24 192.168.10.0 VLAN_10
3 192.168.13.1/24 192.168.13.0 VLAN_MGMT
4 D 68.133.29.224/24 68.133.29.0 P1_Fios_WAN

Sorry here is the DHCP: (VLAN MGMT ID is 1372)

NAME INTERFACE RELAY ADDRESS-POOL LEASE-TIME ADD-ARP

0 defconf Br_VLAN static-only 10m
1 DHCP_10 VLAN_10 Pool_10 10m
2 DHCP_50 VLAN_50 Pool_50 10m
3 DHCP_MGMT VLAN_MGMT Pool_MGMT 10m

POOLs:

NAME RANGES

0 Pool_10 192.168.10.201-192.168.10.254
1 Pool_50 192.168.50.10-192.168.50.30
2 Pool_MGMT 192.168.13.101-192.168.13.105

What is the purpose of these
add action=masquerade chain=srcnat src-address=192.168.10.0/24
add action=masquerade chain=srcnat src-address=192.168.50.0/24
add action=masquerade chain=srcnat src-address=192.168.13.0/24


I believe that is an error, because after I reread this post: https://www.timigate.com/2018/08/three-different-ways-to-configure-source-nat-on-mikrotik-routers.html

my intention was to only keep the .13 network (the management VLAN) internal.

You will get yourself into trouble chasing youtube and google advice on MT equipment.
Best thing here is to state your requirements, your EMERG thingy is still a bit obscure for example, and then we can help guide you in the right direction.
The default settings on the routers are a good starting point.

Many make the mistake then of reading all kinds of ‘bright ideas’ and suddenly their config is a bloated mess, when in reality they wanted only some basic functionality perhaps with a few specific requirements in the mix.

If you are worried about botching your setup when configuring the router, use the SAFEMODE button top left of WINBOX after accessing the router. Out of habit tis the first thing I do when opening the router config LOL.

ANother example of an obscure requirement - only wanted to keep the managment vlan internal… do you mean no internet access? do you mean no other vlans have access to it? do you mean only those authorized to admin/config the router should have access etc…

I also noted you have the same thing I do, a voip modem looks like on eth2, I use vlans for all my subnets but nothing wrong with keeping as a subnet separate but where is the pool dhpc server for that subnet as well???

Please post another config with the changes, cannot read the egyptian text (needed especially to make heads or tails of the bridge port/vlan settings).
Also recommend using (bridge port settings) for trunk ports ingress-filtering=yes and for access ports frames —> priority and untagged frames and of course the PVID number.
Tis all in the reference.

@anav.

Thanks for the recommendations on VLAN packet handling. I was going to make those changes but I didn’t want to botch up more. I will fix them. I consider this fun and frustrating at the same time because the Mikrotik wiki aren’t really product specific and they often give 2-3 recommendations. This gets compounded by the videos/blogs out there that I am finding are sometimes just wrong and the software changes obsolete a bunch of them.

I have two open requirements at this point (consider this amateur)

1. Emergency port access outside the main bridge - I JUST want ether8 (P8_) to be an emergency access port if I mess something up in the bridge I can still get access with winbox to manage the router since it seems there is not serial console in this device. I cannot get this to work at all if I remove the port from the bridge, so I setup the “EMERG” bridge to no avail. I “assume” that if the port is not in a bridge it is managed by the L2 switch ports without any VLAN functionality, but I do not understand how that interacts with the router IP for winbox access. I read you can access via MAC, but I tried that and it didnt work.

2. Management VLAN - I want this to be a secure VLAN to manage the switch and router, only managed from two devices. I would like access from one port in the router (ether9) and a workstation in the access switch which has 1) VLAN 10 untagged and 2) management VLAN 1372 tagged aka hybrid port. I have set the CSS switch setting to “any” for that port. The untagged VLAN adapter works fine. I can plumb the tagged management VLAN and it receives the proper IP range (.13).

I can ping the switch from both ports, but I cannot launch winbox on either.

You are correct I put my IoT/VOIP devices in the VLAN50 LAN which I am going to tighten up (along w/ adding wireless later) once I get the base config working and I begin to understand the depth of the software.

I will clean up the config and repost with your recommended settings. Thanks!

Hi there just be aware that the MT vlan bridge configuration system does not normally allow for hybrid ports. They are either access ports or trunk ports.
Can you clarify which port is designated for this function and what exactly are you connecting to ( A unmanaged switch? a PC?)
The only time usually one can configure a hybrid port that will work is for a very specific case such as A VOIP phone that is meant to also connect to a computer.
Basically this device can read tags and thus takes the tagged data for the phone and passes the rest to the PC (the untagged part of the flow coming in from the port on the router).
In other words only if its going to smart device of some sort!!!

Okay so basically you want the emergency port to be a direct port to configure the router separate from the bridge due to fears of screwing up the bridge in some way.
I am assuming this port will have its own vlan or subnet such that for interface list members you can create one called control
interface list
add name=wan
add name=lan
add name=control

Then
interface-list-members
add interface=adminvlan list=control
add interface=emergsubnet or emergvlan list=control

Then in your input chain (more to follow on this rule below)
add chain=input action=accept in-interface-list=control

Then in your TOOLS macserver for winbox
/tool mac-server mac-winbox
set allowed-interface-list=control (and not LAN)


By the way if you know the list of IPs that you will allow access to winbox for admin purposes and to administer the router create a firewall address list named admin for example
add address=IPofadminDesktop list=admin
add address=IPofadminLaptop list=admin
add address=IPofadminIPAD list=admin
add address=IPofadmin_when _attaching_device_to_emergnet list=admin ( for ex set an IP manually on laptop).

So the rule on your INPUT CHAIN Becomes (which really nails it to only two subnets and only to certain IP addresses)
add chain=input action=accept in-interface-list=control src-address-list=admin

Since when? A bridge port without PVID set and either with ingress-filtering set to no (that’s default) or with ingress-filtering set to yes AND frame-types set to admit-all (again default) will gladly accept both tagged and untaged frames … by definition that’s hybrid port.

Well it certainly is described here: https://wiki.mikrotik.com/wiki/Manual:Bridge_VLAN_Table
And it seems one defines the access port and PVID on the bridge port setup (but do not use frame types, prioirity and untagged only)
Then on the bridge vlan setup one adds a tagged vlan to that port.

(the multiple ways you describe are not covered and perhaps you need to take all that energy and write a fiction novel ;-P)
Seriously, did PCUNITE every cover off hybrid ports in his excellent presentation??
If not perhaps you should add that chapter

My question still remains, what is that port going to be attached to??

There are several mentions of hybrid ports in the document you linked. Perhaps you should re-read it and figure out (again) what exactly hybrid port actually is?

And with all respect to @pcunite and his excellent tutorial, that document is in no way absolute reference of what’s possible to do in ROS. IIRC he started off with hybrid ports and native VLAN in config which he redacted later after I expressed my opinion about going all-VLAN setup. It is great tutorial and sticking to it almost guarantees correct VLAN config. It is not, however, VLAN under ROS bible.

Hmm, well I only saw that particular rendition of a hybrid port, I will have another look maybe this century.
If you are talking about tag stacking, that is beyond my low level of comprehension.

I just wanted to point out that there is a serial port on the RB4011. It’s on the back by the power plug.

@seedbedUnmoved - Thanks! Did not know there is a serial cable.

Folks - After worrying about messing up the working environment I purchased a hex to play around with and figure out where I was making mistakes. Following the advice here I was able to:

1. Use port 10 as a emergency port outside of the bridge
2. Create a tagged only Management VLAN. I setup my workstation with two interfaces – Untagged VLAN 10 and Tagged management using Intel. Note the workstation is plugged into a downstream CSS326 which I set up that port as hybrid.
3. Ingress and egress filtering on across the board, and strict on the CSS326 SwOS. I just needed to make minor changes there.
4. Able to turn off dynamic add, and remove VLAN 1 from the active VLAN
5. Port forward the Plex server correctly.

Errors:

1. I was not consistent in egress/ingress filtering and I removed the extraneous LAN from the original setup and the 72 LAN now just has the router and switch in it. The only two access points are the workstation, and an access port on the router (ether9).
2. I moved ether 10 out of the bridge, housed the router IP on it, and added it to the LAN interface-list
3. I added the VLAN_MGMT to the LAN interface list.
4. Foolishly I did not review the fw rules that the device setup by default and the input chains were causing the drops to happen.
5. Changed PVID of bridge and trunk to different VLAN ID (just in case)

For now there is cross-IP access and internet for VLAN_MGMT which I will tighten up with the appropriate rules. And I will continue adding isolation/filtering as necessary step by step.

I notice that a bunch of the documentation and recommended settings guide point to LAN as an interface and not interface-list and I had to tune up some of my scripts to adjust for that–and that caused me a bunch of confusion that spilled over to the fw rules that I uncovered banging on the hex (which I put in a protected sandbox). I mean I turned off the fw on the WAN for 2 minutes and literally was bombed by 4 different Chinese servers trying to bust into my IoT devices.

So thanks to all, banging on a second device took a lot of pressure off and I figured out everything in two hours once I had the hex which is a very nice little box. Clearly could be used for most homes.

Here is the in situ config:

/interface bridge
add admin-mac=48:8F:5A:A3:0E:82 auto-mac=no comment=“Main Router Bridge”
frame-types=admit-only-vlan-tagged ingress-filtering=yes name=Br_VLAN
pvid=1372 vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name=P1_Fios_WAN
set [ find default-name=ether2 ] name=P2_Obihai
set [ find default-name=ether3 ] name=P3_Alarm
set [ find default-name=ether4 ] name=P4_NAS
set [ find default-name=ether5 ] name=P5_Inverter
set [ find default-name=ether6 ] name=P6_Camera
set [ find default-name=ether7 ] name=P7_Pool
set [ find default-name=ether8 ] name=P8_Inactive
set [ find default-name=ether9 ] name=P9_MGMT
set [ find default-name=ether10 ] name=P10_Emerg
set [ find default-name=sfp-sfpplus1 ] name=SFP_Switch
/interface vlan
add interface=Br_VLAN name=VLAN_10 vlan-id=10
add interface=Br_VLAN name=VLAN_50 vlan-id=50
add interface=Br_VLAN name=VLAN_MGMT vlan-id=1372
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=Pool_10 ranges=192.168.10.201-192.168.10.254
add name=Pool_50 ranges=192.168.50.10-192.168.50.30
add name=Pool_MGMT ranges=192.168.72.101-192.168.72.105
add name=Pool_100E ranges=192.168.100.30-192.168.100.34
/ip dhcp-server
add address-pool=Pool_10 disabled=no interface=VLAN_10 name=DHCP_10
add address-pool=Pool_50 disabled=no interface=VLAN_50 name=DHCP_50
add address-pool=Pool_MGMT disabled=no interface=VLAN_MGMT name=DHCP_MGMT
add address-pool=Pool_100E disabled=no interface=P10_Emerg name=DHCP_100E
/interface bridge port
add bridge=Br_VLAN comment=defconf frame-types=
admit-only-untagged-and-priority-tagged hw=no ingress-filtering=yes
interface=P2_Obihai pvid=50
add bridge=Br_VLAN comment=defconf frame-types=
admit-only-untagged-and-priority-tagged hw=no ingress-filtering=yes
interface=P3_Alarm pvid=50
add bridge=Br_VLAN comment=defconf frame-types=
admit-only-untagged-and-priority-tagged hw=no ingress-filtering=yes
interface=P4_NAS pvid=10
add bridge=Br_VLAN comment=defconf frame-types=
admit-only-untagged-and-priority-tagged hw=no ingress-filtering=yes
interface=P5_Inverter pvid=50
add bridge=Br_VLAN comment=defconf frame-types=
admit-only-untagged-and-priority-tagged hw=no ingress-filtering=yes
interface=P6_Camera pvid=50
add bridge=Br_VLAN comment=defconf frame-types=
admit-only-untagged-and-priority-tagged hw=no ingress-filtering=yes
interface=P7_Pool pvid=50
add bridge=Br_VLAN comment=defconf frame-types=admit-only-vlan-tagged hw=no
ingress-filtering=yes interface=SFP_Switch
add bridge=Br_VLAN frame-types=admit-only-vlan-tagged ingress-filtering=yes
interface=P9_MGMT pvid=1372
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=Br_VLAN tagged=SFP_Switch,Br_VLAN vlan-ids=10
add bridge=Br_VLAN tagged=Br_VLAN,SFP_Switch vlan-ids=50
add bridge=Br_VLAN tagged=Br_VLAN,SFP_Switch,P9_MGMT vlan-ids=1372
/interface list member
add comment=defconf interface=Br_VLAN list=LAN
add comment=defconf interface=P1_Fios_WAN list=WAN
add interface=VLAN_MGMT list=LAN
add interface=P10_Emerg list=LAN
/ip address
add address=192.168.72.1/24 comment=defconf interface=VLAN_MGMT network=
192.168.72.0
add address=192.168.50.1/24 interface=VLAN_50 network=192.168.50.0
add address=192.168.10.1/24 interface=VLAN_10 network=192.168.10.0
add address=192.168.100.1/24 interface=P10_Emerg network=192.168.100.0
/ip dhcp-client
add comment=defconf disabled=no interface=P1_Fios_WAN use-peer-dns=no
/ip dhcp-server network
add address=192.168.10.0/24 dns-server=192.168.10.1 gateway=192.168.10.1
add address=192.168.50.0/24 dns-server=9.9.9.11 gateway=192.168.50.1
add address=192.168.72.0/24 comment=defconf dns-server=192.168.72.1 gateway=
192.168.72.1 netmask=24
add address=192.168.100.0/24 dns-server=9.9.9.11 gateway=192.168.100.1
/ip dns
set allow-remote-requests=yes servers=9.9.9.11

/ip firewall address-list
add address=0.0.0.0/8 comment=RFC6890 list=NotPublic
add address=10.0.0.0/8 comment=RFC6890 list=NotPublic
add address=100.64.0.0/10 comment=RFC6890 list=NotPublic
add address=127.0.0.0/8 comment=RFC6890 list=NotPublic
add address=169.254.0.0/16 comment=RFC6890 list=NotPublic
add address=172.16.0.0/12 comment=RFC6890 list=NotPublic
add address=192.0.0.0/24 comment=RFC6890 list=NotPublic
add address=192.0.2.0/24 comment=RFC6890 list=NotPublic
add address=192.168.0.0/16 comment=RFC6890 list=NotPublic
add address=192.88.99.0/24 comment=RFC3068 list=NotPublic
add address=198.18.0.0/15 comment=RFC6890 list=NotPublic
add address=198.51.100.0/24 comment=RFC6890 list=NotPublic
add address=203.0.113.0/24 comment=RFC6890 list=NotPublic
add address=224.0.0.0/4 comment=RFC4601 list=NotPublic
add address=240.0.0.0/4 comment=RFC6890 list=NotPublic
/ip firewall filter
add action=accept chain=input comment=
“defconf: accept established,related,untracked” connection-state=
established,related,untracked
add action=drop chain=input comment=“defconf: drop invalid” connection-state=
invalid
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=accept chain=input comment=
“defconf: accept to local loopback (for CAPsMAN)” disabled=yes
dst-address=127.0.0.1
add action=drop chain=input comment=“defconf: drop all not coming from LAN”
in-interface-list=!LAN
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack”
connection-state=established,related
add action=accept chain=forward comment=
“defconf: accept established,related, untracked” connection-state=
established,related,untracked
add action=accept chain=forward comment=“defconf: accept in ipsec policy”
disabled=yes ipsec-policy=in,ipsec
add action=accept chain=forward comment=“defconf: accept out ipsec policy”
disabled=yes ipsec-policy=out,ipsec
add action=drop chain=forward comment=“defconf: drop invalid”
connection-state=invalid
add action=drop chain=forward comment=
“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN
add action=drop chain=input comment=
“Drop all packets which are not destined to routes IP address”
dst-address-type=!local
add action=drop chain=input comment=
“Drop all packets which does not have unicast source IP address”
src-address-type=!unicast
add action=drop chain=input comment=“Drop all packets from public internet whi
ch should not exist in public network” in-interface-list=WAN
src-address-list=NotPublic
add action=drop chain=forward comment=“Drop all packets from public internet w
hich should not exist in public network” in-interface-list=WAN
src-address-list=NotPublic
/ip firewall nat
add action=masquerade chain=srcnat comment=“defconf: masquerade”
ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=50457 in-interface=P1_Fios_WAN
protocol=tcp to-addresses=192.168.10.101 to-ports=32400
add action=dst-nat chain=dstnat dst-port=50457 in-interface=P1_Fios_WAN
protocol=udp to-addresses=192.168.10.101 to-ports=32400
/system clock
set time-zone-name=America/New_York
/system identity
set name=Dave_Router
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool romon
set enabled=yes

I would do it differently.


/interface bridge
add admin-mac=48:8F:5A:A3:0E:82 auto-mac=no comment=“Main Router Bridge” name=Br_VLAN
vlan-filtering=yes

/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN

/interface list member
add comment=defconf interface=P1_Fios_WAN list=WAN
add interface=VLAN_MGMT list=LAN
add interface=VLAN=10 list=LAN
add interface=VLAN_50 list=LAN
add interface=P10_Emerg list=LAN

/interface bridge port
add bridge=Br_VLAN frame-types=admit-only-untagged-and-priority-tagged
interface=P2_Obihai pvid=50
add bridge=Br_VLAN frame-types=admit-only-untagged-and-priority-tagged
interface=P3_Alarm pvid=50
add bridge=Br_VLAN frame-types=admit-only-untagged-and-priority-tagged
interface=P4_NAS pvid=10
add bridge=Br_VLAN frame-types=admit-only-untagged-and-priority-tagged
interface=P5_Inverter pvid=50
add bridge=Br_VLAN frame-types=admit-only-untagged-and-priority-tagged
interface=P6_Camera pvid=50
add bridge=Br_VLAN frame-types=admit-only-untagged-and-priority-tagged
interface=P7_Pool pvid=50
+++++++++++++++++++++++++++++++++++++++++++++ (I am not sure on P9 as it do not seem like smart device to me (a PC)?? I will buy the switch being one!!
add bridge=Br_VLAN frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=SFP_Switch
add bridge=Br_VLAN frame-types= frame-types=admit-only-untagged-and-priority-tagged
interface=P9_MGMT pvid=1372

/interface bridge vlan
add bridge=Br_VLAN tagged=Br_VLAN,SFP_Switch, untagged=P4-NAS vlan-ids=10
add bridge=Br_VLAN tagged=Br_VLAN,SFP_Switch untagged=P2_Obihai,P3_Alarm,P5_Inverter,P6_Camera,P7_Pool vlan-ids=50
add bridge=Br_VLAN tagged=Br_VLAN,SFP_Switch untagged=P9_MGMT vlan-ids=1372

/ip firewall filter
add action=drop chain=forward comment=
“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN
add action=drop chain=input comment=
+++++++++++++++++++++++++++++++++++++++
GET RID OF ALL THE SILLY NOISY RULES that follow (and those address lists) and simply add this rule below and modify the drop all from WAN rule just above the line ++++
and so it looks like this:
add action=accept chain=forward comment=“allow port forwarding”
connection-nat-state=dstnat connection-state=new in-interface-list=WAN
add action=drop comment=“drop all else”

NOTE: You will need to add allowed traffic before the drop rule (such as LAN to WAN traffic)