What is the proper way to create separate network that are not bridged?
I have the new RB450x4 and I would like to separate my LAN from my guest network, but would like to keep default firewall

I can easily take port five (5) off the bridge but if I try port two (2), I am locked out since that’s the port I am connected.
I would like port two (2) my LAN to have 10.0.8.0/24 and port five (5) my guest 172.17.9.0/24
If I configure the router say using port three (3) would that retain the default address 192.168.88.1?
This bridge is confusing…I had to open up the router to reset it.

To make changes so you dont get locked out.
create one port off the bridge like this and do all your config from there…
https://forum.mikrotik.com/viewtopic.php?t=181718

Okay I used port three to reconfigure the router; however, the step I am having issue with is where do I add say ether 2 to the trusted list so I can access the router?
I just tried login and it seems that it not accepting the admin user on that interface. I don’t want keep connecting to the router with an Ethernet cable on ether 3 when my WIFI is on ether 2.

You add the WLAN interface to the list NOT the port… but much thanks it was not clear on my article and have just made some modifications.
See if it reads better for you now!!

add interface=WLAN name list=manage

I am not using Wlan…this is what I have setup…see images and it seems that I am dropping all traffic from the NolliLAN…how do I make both LAN(s) apart of default LAN so I don’t need to create separate and more rules…just use default firewall rules? I only allow a pool of eight (8) on GuestLAN because I should not have more than eight guest needing to connect to my Internet at any time.

Pictures are nice but need to see the config
/export hide-sensitive file=anynameyou wish.

I should add that my advice was NOT to create a separate network but to create a separate access to the router for config purposes.
For a completely different subnet, besides IP address you need IP pool, dhcp server, dhcp server network etc…

Yes, I did create different subnets and all that’s needed. Now, all I want to do is how to add those subnets to the default firewall rules
so that I don’t need to create new rules.

Post your lastest config for assistance.

I am using Mac so cannot copy from Mikrotik terminal so I hope a pic will help. I didn’t see any list called deconfig…

Just realize I could use the browser and copy from Terminal that way…so, here it is…

[nolli@MikroTik] > /export

jan/05/2022 16:08:27 by RouterOS 7.1

software id = 33B2-XGBT

model = RB450Gx4

serial number = ADBA0ACE537B

/interface bridge
add admin-mac=74:4D:28:21:60:52 auto-mac=no comment=defconf name=bridge
/disk
set sd1 disabled=no
set sd1-part1 disabled=no name=disk1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=pool1 ranges=10.0.8.2-10.0.8.254
add name=pool2 ranges=172.17.9.2-172.17.9.10
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
add address-pool=pool1 interface=ether2 name=NolliLAN server-address=10.0.8.1
add address-pool=pool2 interface=ether5 name=GuestLAN server-address=172.17.9.1
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=ether2 list=LAN
add interface=ether5 list=LAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
add address=10.0.8.1 interface=ether2 network=10.0.8.0
add address=172.17.9.1 interface=ether5 network=172.17.9.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=10.0.8.0/24 dns-server=10.0.8.1 gateway=10.0.8.1 netmask=24
add address=172.17.9.0/24 dns-server=172.17.9.1 gateway=172.17.9.1 netmask=24
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=192.168.1.1,10.0.8.1,172.17.9.1
/ip dns static
add address=10.0.8.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=“defconf: accept established,related,untracked” connection-state=established,related,untracked
add action=drop chain=input comment=“defconf: drop invalid” connection-state=invalid
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=accept chain=input comment=“defconf: accept to local loopback (for CAPsMAN)” dst-address=127.0.0.1
add action=drop chain=input comment=“defconf: drop all not coming from LAN” in-interface-list=!LAN
add action=accept chain=forward comment=“defconf: accept in ipsec policy” ipsec-policy=in,ipsec
add action=accept chain=forward comment=“defconf: accept out ipsec policy” ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack” connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=“defconf: accept established,related, untracked” connection-state=established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid” connection-state=invalid
add action=drop chain=forward comment=“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment=“defconf: masquerade” ipsec-policy=out,none out-interface-list=WAN
/ipv6 firewall address-list
add address=::/128 comment=“defconf: unspecified address” list=bad_ipv6
add address=::1/128 comment=“defconf: lo” list=bad_ipv6
add address=fec0::/10 comment=“defconf: site-local” list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment=“defconf: ipv4-mapped” list=bad_ipv6
add address=::/96 comment=“defconf: ipv4 compat” list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment=“defconf: documentation” list=bad_ipv6
add address=2001:10::/28 comment=“defconf: ORCHID” list=bad_ipv6
add address=3ffe::/16 comment=“defconf: 6bone” list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=“defconf: accept established,related,untracked” connection-state=established,related,untracked
add action=drop chain=input comment=“defconf: drop invalid” connection-state=invalid
add action=accept chain=input comment=“defconf: accept ICMPv6” protocol=icmpv6
add action=accept chain=input comment=“defconf: accept UDP traceroute” port=33434-33534 protocol=udp
add action=accept chain=input comment=“defconf: accept DHCPv6-Client prefix delegation.” dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment=“defconf: accept IKE” dst-port=500,4500 protocol=udp
add action=accept chain=input comment=“defconf: accept ipsec AH” protocol=ipsec-ah
add action=accept chain=input comment=“defconf: accept ipsec ESP” protocol=ipsec-esp
add action=accept chain=input comment=“defconf: accept all that matches ipsec policy” ipsec-policy=in,ipsec
add action=drop chain=input comment=“defconf: drop everything else not coming from LAN” in-interface-list=!LAN
add action=accept chain=forward comment=“defconf: accept established,related,untracked” connection-state=established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid” connection-state=invalid
add action=drop chain=forward comment=“defconf: drop packets with bad src ipv6” src-address-list=bad_ipv6
add action=drop chain=forward comment=“defconf: drop packets with bad dst ipv6” dst-address-list=bad_ipv6
add action=drop chain=forward comment=“defconf: rfc4890 drop hop-limit=1” hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment=“defconf: accept ICMPv6” protocol=icmpv6
add action=accept chain=forward comment=“defconf: accept HIP” protocol=139
add action=accept chain=forward comment=“defconf: accept IKE” dst-port=500,4500 protocol=udp
add action=accept chain=forward comment=“defconf: accept ipsec AH” protocol=ipsec-ah
add action=accept chain=forward comment=“defconf: accept ipsec ESP” protocol=ipsec-esp
add action=accept chain=forward comment=“defconf: accept all that matches ipsec policy” ipsec-policy=in,ipsec
add action=drop chain=forward comment=“defconf: drop everything else not coming from LAN” in-interface-list=!LAN
/system clock
set time-zone-name=America/Chicago
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
[nolli@MikroTik] >

Try using the code brackets around the config, it will shorten it up for viewing purposes (the black square with white square brackets on the same line as B I U etc…

Looking at the config, so far so good!

• See three subnets one for the bridge and two for specific ports.

Not really wrong but not userful are these settings.
/ip dns
set allow-remote-requests=yes servers=192.168.1.1,10.0.8.1,172.17.9.1
( the router already knows these are the servers for the networks but they are not sources, try instead
1.1.1.2 and 9.9.9.9 as good dns servers (first one is cloudfare , the second is Quad9 dns service also very good).

/ip dns static
add address=10.0.8.1 comment=defconf name=router.lan
(this is from the default setup and can be removed).

The firewall rules are the default ones.
The only question I have is do you want to limit who can access the router itself (typically to configure it) as right now all LAN users have access??
Also right now you have no separation in firewall rules between subnets, is that the requirement??

Dont see IP route, so assuming you have this selected at the IP DHCP client setting?

Ahh I see your an IPV6 chap, well that counts me out, sorry, dont have a clue about ipv6 or its firewall rules… l8r…

The DNS server 192.168.1.1 is pfSense which will have openDNS as sources and the Mikrotik will connect to the pfSense with that address for WAN.
The Mikrotik is king of my LAN which includes GuestLAN. I did not want any separation in firewall rules and all LAN passes through the default firewall rules.
So, I take it since I have:
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN; and
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=ether2 list=LAN
add interface=ether5 list=LAN
that all LAN will be govern by default firewall rules…correct? I don’t recall setting up that DNS static but I am cool with it.
There is only one user > me, and I have disabled admin. I am not brave enough for IPv6 yet so that’s default and I’ll leave like that.

Yes, looks good,
Why not just put the opendns servers right in the MT, dont need pfsense for that??
/ip dns
set allow-remote-requests=yes servers=208.67.222.222,208.67.220.220

The reason is I am using pfBlockerNG package on pfSense so all DNS request resolve there.
I am still having login issue from the 10.0.8.0 network without the Ethernet cable plugged in ether 3.
So, where should I create the management list…under firewall? I thought when I added the 10.0.8.1 interface to Winbox under manage
I would not have the issue.

Interface menu selection is where you find to add a new LIST, its tricky to find I thing its a square box vice a pulldown…

There is no way…you’ll just be creating another LAN that would have the same exact network. I even tried creating a firewall input rule
and that didn’t work. Then I added the network to the user…that disabled the password and got locked out since admin was disabled.
So, no matter what I did, logging in from ether two network resulted in timeout…even putting input rule above all…appears default config a b…
It’s like the router is not recognizing the user unless an Ethernet cable is plugged in ether three bridge…must be a bug!
So, I export config for you to examine:

[admin@MikroTik] > /export

jan/07/2022 11:48:45 by RouterOS 7.1

software id = 33B2-XGBT

model = RB450Gx4

serial number = ADBA0ACE537B

/interface bridge
add admin-mac=74:4D:28:21:60:52 auto-mac=no comment=defconf name=bridge
/disk
set sd1 disabled=no
set sd1-part1 disabled=no name=disk1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=nolliLAN ranges=10.0.8.2-10.0.8.4,10.0.8.20-10.0.8.251
add name=guestLAN ranges=172.17.9.2-172.17.9.10
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
add address-pool=nolliLAN interface=ether2 lease-time=3d name=nolliLAN
add address-pool=guestLAN interface=ether5 lease-time=50m name=guestLAN
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=ether2 list=LAN
add interface=ether5 list=LAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
add address=10.0.8.1 interface=ether2 network=10.0.8.0
add address=172.17.9.1 interface=ether5 network=172.17.9.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=10.0.8.0/24 dns-server=10.0.8.1,192.168.1.1 gateway=10.0.8.1 netmask=24
add address=172.17.9.0/24 dns-server=172.17.9.1,192.168.1.1 gateway=172.17.9.1 netmask=24
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall address-list
add address=10.0.8.1 list=nolliLAN-management
/ip firewall filter
add action=accept chain=input src-address-list=nolliLAN-management
add action=accept chain=input comment=“defconf: accept established,related,untracked” connection-state=established,related,untracked
add action=drop chain=input comment=“defconf: drop invalid” connection-state=invalid
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=accept chain=input comment=“defconf: accept to local loopback (for CAPsMAN)” dst-address=127.0.0.1
add action=drop chain=input comment=“defconf: drop all not coming from LAN” in-interface-list=!LAN
add action=accept chain=forward comment=“defconf: accept in ipsec policy” ipsec-policy=in,ipsec
add action=accept chain=forward comment=“defconf: accept out ipsec policy” ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack” connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=“defconf: accept established,related, untracked” connection-state=established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid” connection-state=invalid
add action=drop chain=forward comment=“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment=“defconf: masquerade” ipsec-policy=out,none out-interface-list=WAN
/ipv6 firewall address-list
add address=::/128 comment=“defconf: unspecified address” list=bad_ipv6
add address=::1/128 comment=“defconf: lo” list=bad_ipv6
add address=fec0::/10 comment=“defconf: site-local” list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment=“defconf: ipv4-mapped” list=bad_ipv6
add address=::/96 comment=“defconf: ipv4 compat” list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment=“defconf: documentation” list=bad_ipv6
add address=2001:10::/28 comment=“defconf: ORCHID” list=bad_ipv6
add address=3ffe::/16 comment=“defconf: 6bone” list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=“defconf: accept established,related,untracked” connection-state=established,related,untracked
add action=drop chain=input comment=“defconf: drop invalid” connection-state=invalid
add action=accept chain=input comment=“defconf: accept ICMPv6” protocol=icmpv6
add action=accept chain=input comment=“defconf: accept UDP traceroute” port=33434-33534 protocol=udp
add action=accept chain=input comment=“defconf: accept DHCPv6-Client prefix delegation.” dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment=“defconf: accept IKE” dst-port=500,4500 protocol=udp
add action=accept chain=input comment=“defconf: accept ipsec AH” protocol=ipsec-ah
add action=accept chain=input comment=“defconf: accept ipsec ESP” protocol=ipsec-esp
add action=accept chain=input comment=“defconf: accept all that matches ipsec policy” ipsec-policy=in,ipsec
add action=drop chain=input comment=“defconf: drop everything else not coming from LAN” in-interface-list=!LAN
add action=accept chain=forward comment=“defconf: accept established,related,untracked” connection-state=established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid” connection-state=invalid
add action=drop chain=forward comment=“defconf: drop packets with bad src ipv6” src-address-list=bad_ipv6
add action=drop chain=forward comment=“defconf: drop packets with bad dst ipv6” dst-address-list=bad_ipv6
add action=drop chain=forward comment=“defconf: rfc4890 drop hop-limit=1” hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment=“defconf: accept ICMPv6” protocol=icmpv6
add action=accept chain=forward comment=“defconf: accept HIP” protocol=139
add action=accept chain=forward comment=“defconf: accept IKE” dst-port=500,4500 protocol=udp
add action=accept chain=forward comment=“defconf: accept ipsec AH” protocol=ipsec-ah
add action=accept chain=forward comment=“defconf: accept ipsec ESP” protocol=ipsec-esp
add action=accept chain=forward comment=“defconf: accept all that matches ipsec policy” ipsec-policy=in,ipsec
add action=drop chain=forward comment=“defconf: drop everything else not coming from LAN” in-interface-list=!LAN
/system clock
set time-zone-name=America/Chicago
/system ntp client
set enabled=yes
/system ntp client servers
add address=pool.ntp.org
add address=time.apple.com
add address=time.google.com
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
[admin@MikroTik] >

NO its not a bug, its a user who has made mistakes in configuring the device.

(1) Just different
I shudder when people stray from norms, mostly because I get lost right quick…
ex.
add name=nolliLAN ranges=10.0.8.2-10.0.8.4, 10.0.8.20-10.0.8.251
WHY??? in any case not wrong just weird from my perspective.

2. ERROR.
   /IP address
   …
   add address=10.0.8.1 interface=ether2 network=10.0.8.0
   add address=172.17.9.1 interface=ether5 network=172.17.9.0
   Should be
   add address=10.0.8.1/24 interface=ether2 network=10.0.8.0
   add address=172.17.9.1/24 interface=ether5 network=172.17.9.0

3. Just different
   Why put two what is gained ???
   ip dhcp-server network
   add address=10.0.8.0/24 dns-server=**10.0.8.1,192.168.1.**1 gateway=10.0.8.1 netmask=24
   add address=172.17.9.0/24 dns-server=172.17.9.1,192.168.1.1 gateway=172.17.9.1 netmask=24
   add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=192.168.88.1

4. Potential ERROR
   Why .1, that is usually a reserved IP, and not the IP given and used by a Computer/device/user??
   /ip firewall address-list
   add address=10.0.8.1 list=nolliLAN-management

The list should be something like
add address=ip of admin desktop list=nolliLAN-management
add address=ip of admin laptop list=nolliLAN-management
add address=ip of admin smartphone list=nolliLAN-management
add address=ip of admin ipad list=nolliLAN-management
etc…

5. Personal PReference
   I would put his input chain rule after the INVALID rule in order…
   add action=accept chain=input src-address-list=nolliLAN-management

6. Just checking.
   Assuming you have IP route established via the IP DHCP client settings as I see none on your config.

I LOL reading this and seeing some of my mistakes…

I have cameras, servers, and a switch that lives within 10.0.8.5-10.0.8.19 range statically. I have been setting it like that for eight years now starting with
my old RB450G.

Ah…I see the mistake…thanks for sharing!

Just to let the router know to look upstream if the request it’s not cached.

I that put the subnet first last night as well as under user, then I got locked out because doing so chances the user password.
So, earlier today, I wasn’t thinking as well as gotten frustrated that I had to deal with this today and ended up putting the ether 2’s
address. I will put back the subnet so I am not limited.

I had noticed in the firewall pic above in the thread that I was dropping traffic and concluded it must be my communication attempt
via the 10.0.8.0 network and why I placed it above invalid. I shall give it a try.

I have been configuring the router without connecting the WAN that’s why and since it will be connected to pfSense and not a real WAN.

It’s all working now after figuring out my login/password problem for the second user.
I had been creating the password, reconfirmed it, then clicked apply, then, clicked okay.
Well doing so killed the newly created password when I clicked okay. One had only one
choice, one either click apply or clicks okay…not both, what a lesson!

I also followed Anav’s suggestion of moving the input rule below the invalid rule…thank you, all is good.