RB-5009 Initial Setup and VLAN configuration

bradi · November 18, 2021, 11:52am

Hi all,

I recently purchased an RB-5009 to replace two Netgear switches I have. As I struggled last time http://forum.mikrotik.com/t/rb4011-hap-ac-lite-vlan-configuration/147819/1 setting up my RB-4011 I have been careful this time in setting up my configuration changes one at a time, but seem to be missing some fundamental understanding about RouterOS or the order changes should be implemented. This at some point in my configuration changes kicks me out and prevents further access to the router until it is powered off and reset.

This is my test configuration (which I think should do what I want)

###############################################################################
# Topic:		RB-5009 Initial Setup and VLAN configuration Post 1
# Example:		Isolated VLANs with upstream Router, no WAN, no Firewall
# Web:			https://forum.mikrotik.com/viewtopic.php?t=891803
# RouterOS:		7.0.5 Stable
# Model:                RB5009UG+S+
# Date:			2021-11-18
# Notes:		Working example of intial setup and configuration changes.
# Thanks:		Mikrotik
###############################################################################

# VLAN Overview
#######################################
# 1 = Default_VLAN1 NOT IN USE
# 50 = Server_VLAN50 (Management VLAN) (192.168.5.0/24)
# 100 = Back_VLAN100 (192.168.10.0/24)
# 200 = Cabin_VLAN200 (192.168.20.0/24)
# 300 = House_VLAN300 (192.168.30.0/24)
# 400 = Wifi_VLAN400 (192.168.40.0/24)
# 500 = Guest_VLAN500 (192.168.50.0/24)
# 600 = IoT_VLAN600 (192.168.60.0/24)

# Interfaces
#######################################
/interface ethernet
set [ find default-name=ether1 ] name=Eth1_SG-2100_Port2
set [ find default-name=ether2 ] name=Eth2_Hammerstein
set [ find default-name=ether3 ] name=Eth3_Backberry
set [ find default-name=ether4 ] name=Eth4_Kodi
set [ find default-name=ether5 ] name=Eth5_UNUSED
set [ find default-name=ether6 ] name=Eth6_UNUSED
set [ find default-name=ether7 ] name=Eth7_UNUSED
set [ find default-name=ether8 ] name=Eth8_UNUSED

/interface vlan
add interface=RB-5009_Bridge name=Server_VLAN50 vlan-id=50

/interface list
add comment="All network ports" name=LAN
add comment="VLAN Trunk to SG-2100" name=VLAN_Trunk
add comment="All Server_VLAN50 devices" name=Server_VLAN50
add comment="All Back_VLAN100 devices" name=Back_VLAN100
add comment="All VLAN devices" name=VLAN

/interface list member
add interface=RB-5009_Bridge list=LAN
add interface=Eth1_SG-2100_Port2 list=LAN
add interface=Eth2_Hammerstein list=LAN
add interface=Eth3_Backberry list=LAN
add interface=Eth4_Kodi list=LAN

add interface=RB-5009_Bridge list=VLAN_Trunk
add interface=Eth1_SG-2100_Port2 list=VLAN_Trunk

add interface=Eth1_SG-2100_Port2 list=Server_VLAN50
add interface=Eth3_Backberry list=Server_VLAN50
add interface=Eth2_Hammerstein list=Back_VLAN100
add interface=Eth4_Kodi list=Back_VLAN100

# Bridge
#######################################
/interface bridge
add admin-mac=00:00:00:00:00:00 auto-mac=no name=RB-5009_Bridge vlan-filtering=no

/interface bridge port
add bridge=RB-5009_Bridge frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=Eth1_SG-2100_Port2
add bridge=RB-5009_Bridge interface=Eth2_Hammerstein pvid=100
add bridge=RB-5009_Bridge interface=Eth3_Backberry pvid=50
add bridge=RB-5009_Bridge interface=Eth4_Kodi pvid=100

/interface bridge vlan
add bridge=RB_5009_Bridge tagged=RB-5009_Bridge,Eth1_SG-2100_Port2 vlan-ids=50,100,200,300,400,500,600
add bridge=RB_5009_Bridge tagged=RB-5009_Bridge,Eth2_Hammerstein vlan-ids=100
add bridge=RB_5009_Bridge tagged=RB-5009_Bridge,Eth3_Backberry vlan-ids=50
add bridge=RB_5009_Bridge tagged=RB-5009_Bridge,Eth4_Kodi vlan-ids=100

# IP Services
#######################################
/ip address
add address=192.168.5.250/24 interface=Server_VLAN50 network=192.168.5.0

/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=192.168.5.1 routing-table=main suppress-hw-offload=no

/ip pool
add name=BACK_VLAN100-dhcp ranges=192.168.10.101-192.168.10.199

/ip dhcp-server
add address-pool=BACK_VLAN100-dhcp interface=RB-5009_Bridge name=TMP_DHCPSVR

/ip dhcp-server network
add address=192.168.10.0/24 dns-server=192.168.10.1 gateway=192.168.10.1 ntp-server=192.168.10.1

/ip dns
set allow-remote-requests=yes servers=192.168.5.1

/ip neighbor discovery-settings
set discover-interface-list=LAN

/ip cloud
set update-time=no

# Firewall
#######################################
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked disabled=yes
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid disabled=yes
add action=accept chain=input comment="defconf: accept ICMP" disabled=yes protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" disabled=yes dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" disabled=yes in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" disabled=yes ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" disabled=yes ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related disabled=yes hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked disabled=yes
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid disabled=yes
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new disabled=yes \
    in-interface-list=WAN

/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" disabled=yes ipsec-policy=out,none out-interface-list=WAN

/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6

/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN

# System
#######################################
/system clock
set time-zone-autodetect=no time-zone-name=Pacific/Auckland

/system identity
set name=RB-5009

/system ntp client
set enabled=yes primary-ntp=192.168.5.1 server-dns-names=nz.pool.ntp.org

/system ntp client servers
add address=192.168.5.1

/system package update
set channel=testing

/system routerboard settings
set cpu-frequency=auto

/tool mac-server
set allowed-interface-list=LAN

/tool mac-server mac-winbox
set allowed-interface-list=LAN

/ip ssh
set strong-crypto=yes

Any thoughts or feedback on whether the script should work as expected or any glaringly obvious problems / errors?

EDIT: FYI I already have a pfSense firewall providing Internet / IP Services / Routing / VLANs which is connected to an existing RB4011 (with VLANs) the RB-5009 will connect to the 2nd LAN port on the firewall, so basically only need the access ports, trunk and IP address for the management VLAN (Server_VLAN50 / 192.168.5.250/24) so I can replace the existing Netgears with the RB-5009.

sid5632 · November 18, 2021, 12:42pm

The glaring stuff is this:

/interface bridge add admin-mac=00:00:00:00:00:00 auto-mac=no name=RB-5009_Bridge vlan-filtering=no

MAC address like this is never going to work.

/interface bridge vlan
add bridge=RB_5009_Bridge tagged=RB-5009_Bridge,Eth1_SG-2100_Port2 vlan-ids=50,100,200,300,400,500,600
add bridge=RB_5009_Bridge tagged=RB-5009_Bridge,Eth2_Hammerstein vlan-ids=100
add bridge=RB_5009_Bridge tagged=RB-5009_Bridge,Eth3_Backberry vlan-ids=50
add bridge=RB_5009_Bridge tagged=RB-5009_Bridge,Eth4_Kodi vlan-ids=100

You should group these by vlan-id not by interface. I don’t know if this will work properly.

/ip pool add name=BACK_VLAN100-dhcp ranges=192.168.10.101-192.168.10.199
/ip dhcp-server add address-pool=BACK_VLAN100-dhcp interface=RB-5009_Bridge name=TMP_DHCPSVR

DHCP-server should go on the VLAN interface, which you haven’t defined, and obviously you need
to add an IP address on it when you do.

I guess your firewall is all disabled because you can’t get anything to work.

bradi · November 18, 2021, 1:08pm

Thanks sid5632, yea the MAC address is just a dummy, this will be updated before I run “/system reset-configuration”. Yep firewall is disabled to save my sanity for now. I also realise that I have “/interface bridge vlan-filtering=no” and the DHCP configuration configured without being VLAN aware and will change this when I feel that I have a reasonably reliable script as these and the “/interface vlan” commands are the ones that lock me out and force a hard reset.

With regards to the “/interface bridge vlan”, I am also unsure if I need anything but the trunk (Eth1_SG-2100_Port2) port configured here since at this point in time all the remaining ports will be VLAN access ports. I guess my questions are “do I need to mention the untagged (i.e. access ports) in the /interface bridge vlan” and “do I need to add the individual VLANs to /interface vlan”

/interface bridge vlan
add bridge=RB_5009_Bridge tagged=RB-5009_Bridge,Eth1_SG-2100_Port2 vlan-ids=50,100,200,300,400,500,600
add bridge=RB_5009_Bridge untagged=RB-5009_Bridge,Eth2_Hammerstein vlan-ids=100
add bridge=RB_5009_Bridge untagged=RB-5009_Bridge,Eth3_Backberry vlan-ids=50
add bridge=RB_5009_Bridge untagged=RB-5009_Bridge,Eth4_Kodi vlan-ids=100

or is it enough to mention them in the “/interface bridge port” configuration and remove them from the “/interface bridge vlan” as they “should” be dynamically added

/interface bridge port
add bridge=RB-5009_Bridge frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=Eth1_SG-2100_Port2
add bridge=RB-5009_Bridge interface=Eth2_Hammerstein pvid=100
add bridge=RB-5009_Bridge interface=Eth3_Backberry pvid=50
add bridge=RB-5009_Bridge interface=Eth4_Kodi pvid=100

anav · November 18, 2021, 2:27pm

Is the 5009 acting as a switch or a router.
In the previous topic, you had a firewall device in between the ISP and the RB4011.
Is that still the case between internet and 5009 and if so what does the firewall provide?
(just identifies vlans)
(identifies vlans and creates the subnets dchp, pool, address etc…)
???

bradi · November 19, 2021, 4:12am

Hi anav,

The RB-5009 will basically be a switch (with firewalling) and all IP services (Internet, Routing, Firewalling, DNS, DHCP, NTP, etc) are provided to the network by the pfSense firewall (while it is not as powerful as the Mikrotik gear I have it is much more functional and flexible). I have defined the VLANs on the firewall and RB-4011 and have an existing working trunk between them with existing devices using access ports and another hAP AC Lite configured via another trunk from the RB-4011, I want to use the 2nd trunk on the pfSense firewall which currently goes to a Netgear switch and move this to the RB-5009. So basically need to configure a trunk port and VLANs on the RB-5009.

If you refer to my original post about the RB-4011 the RB-5009 will be the SWITCH (192.168.5.250) in the diagram.

anav · November 19, 2021, 12:15pm

kk
I would also use the unused ether8 as ether8-emergaccess.
Give it an IP of 192.168.66.2 network 192.168.66.0
take ether8 off the bridge.
Ensure you add it to the management interface as a member.

Step 1:
You have to define ALL the vlans on the RB5009, you only have defined vlan50 ???
In other words they all need to be identified and with interface being the bridge.

Step 2:
Since its not routing, you dont need any firewall rules

Step3:
Ensure the router has an IP address on the management vlan subnet.

Step4:
Ensure the router has an IP route to the gateway IP of the management vlan
dest address=0.0.0.0/0 gateway =192.168.5.1

Step5: the only interface you need to define (not wan, not lan)
/interface list
add name=MGMT
/interface list members
add interface=vlan50 list=MGMT
add interface=ether8-emergaccess list=MGMT

Step6:
Setup the bridge ports

/interface bridge ports
EACH port/WLAN that is attached to the bridge gets ONE line
EACH port/WLAN is either
associated as a TRUNK port (carrying one or more vlans as tagged packets both outgoing and incoming to the port - aka to smart managed devices)
OR
associated as an access port (carrying one vlan which will be untagged coming out of the port and tagged when coming back into the port - aka to dumb devices PCs)
OR
(there can also be hyrid ports if requried (multiple tagged vlans and one untagged vlan).

/interface bridge vlas
EACH VLAN ID gets one line ( an exception is two or more vlan-ids are identical in their tagging)
Bridge is tagged as well as all trunk ports
All access ports are automatically dynamically untagged due to the associated pvid setting for access ports on the bridge port settings.
However I also manually untagg them on the bridge vlan settings so that I can quickly understand a config.

In summary, the MT Router acting solely as a bridge is quite a simple clean setup.
Give it a go and then provide the config as per

/export hide-sensitive file=anynameyouwish

Step 7
Setup the bridge vlans

Step 8
Turn on vlan filtering on bridge.

bradi · November 20, 2021, 7:56am

Thanks anav, your suggestion to add ether8 as a management port was the kick in my head I needed to be able to get the configuration below. Thanks very much for your assistance.

###############################################################################
# Topic:		RB-5009 Initial Setup and VLAN configuration Post 2
# Example:		Isolated VLANs with upstream Router, no WAN, no Firewall
# Web:			http://forum.mikrotik.com/t/rb-5009-initial-setup-and-vlan-configuration/153441/1
# RouterOS:		7.0.5 Stable
# Model:                RB5009UG+S+
# Date:			2021-11-18
# Notes:		Working example of intial setup and configuration changes
# Thanks:		Mikrotik, sid5632, anav
###############################################################################

# VLAN Overview
#######################################
# 1 = Default_VLAN1 NOT IN USE
# 50 = Server_VLAN50 (Management VLAN) (192.168.5.0/24)
# 100 = Back_VLAN100 (192.168.10.0/24)
# 200 = Cabin_VLAN200 (192.168.20.0/24)
# 300 = House_VLAN300 (192.168.30.0/24)
# 400 = Wifi_VLAN400 (192.168.40.0/24)
# 500 = Guest_VLAN500 (192.168.50.0/24)
# 600 = IoT_VLAN600 (192.168.60.0/24)

# Port Overview
#######################################
# ether1 = Trunk port to SG-2100 Port 2 (All VLANs)
# ether2 = Windows device (VLAN100)
# ether3 = Linux device (VLAN50)
# ether4 = Linux device (VLAN100)
# ether5 = Unused
# ether6 = Unused
# ether7 = Unused
# ether8 = Management access to RB-5009 (192.168.5.99)
# sfp-sfpplus1 = Unused (No WAN)

# Router Access
#######################################
# RB-5009_Bridge = 192.168.5.250/24 (VLAN aware)
# ether8 = 192.168.5.99/24

# Interfaces
#######################################
/interface bridge
add admin-mac=00:00:00:00:00:00 auto-mac=no name=RB-5009_Bridge vlan-filtering=\
    yes

/interface ethernet
set [ find default-name=ether1 ] name=Eth1_SG-2100_Port2
set [ find default-name=ether2 ] name=Eth2_Hammerstein
set [ find default-name=ether3 ] name=Eth3_Backberry
set [ find default-name=ether4 ] name=Eth4_Kodi
set [ find default-name=ether5 ] name=Eth5_UNUSED
set [ find default-name=ether6 ] name=Eth6_UNUSED
set [ find default-name=ether7 ] name=Eth7_UNUSED
set [ find default-name=ether8 ] name=Eth8_Management

/interface vlan
add interface=RB-5009_Bridge name=Server_VLAN50 vlan-id=50

/interface list
add comment="All network ports" name=LAN
add comment="WAN port" name=WAN
add comment="VLAN Trunk to SG-2100" name=VLAN_Trunk
add comment="All Server_VLAN50 devices" name=Server_VLAN50_Devices
add comment="All Back_VLAN100 devices" name=Back_VLAN100_Devices
add comment="All VLAN devices" name=VLAN_Devices
add comment="All management devices" name=Management_Devices

/interface list member
add comment="Default_WAN" interface=sfp-sfpplus1 list=WAN

add comment="Default_Bridge" interface=RB-5009_Bridge list=LAN
add comment="VLAN_Trunk" interface=Eth1_SG-2100_Port2 list=LAN
add interface=Eth2_Hammerstein list=LAN
add interface=Eth3_Backberry list=LAN
add interface=Eth4_Kodi list=LAN
add interface=Eth5_UNUSED list=LAN
add interface=Eth6_UNUSED list=LAN
add interface=Eth7_UNUSED list=LAN
add comment="Management_Port" interface=Eth8_Management list=LAN

add interface=RB-5009_Bridge list=VLAN_Trunk
add interface=Eth1_SG-2100_Port2 list=VLAN_Trunk

add interface=RB-5009_Bridge list=Server_VLAN50_Devices
add interface=Eth1_SG-2100_Port2 list=Server_VLAN50_Devices
add interface=Eth3_Backberry list=Server_VLAN50_Devices

add interface=Eth2_Hammerstein list=Back_VLAN100_Devices
add interface=Eth4_Kodi list=Back_VLAN100_Devices

/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik

# Bridge
#######################################
/interface bridge port
add bridge=RB-5009_Bridge frame-types=admit-only-vlan-tagged ingress-filtering=\
    yes interface=Eth1_SG-2100_Port2
add bridge=RB-5009_Bridge frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=Eth2_Hammerstein pvid=100
add bridge=RB-5009_Bridge frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=Eth3_Backberry pvid=50
add bridge=RB-5009_Bridge frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=Eth4_Kodi pvid=100

/interface bridge vlan
# port with pvid added to untagged group which might cause problems, consider addi
 g a seperate VLAN entry
add bridge=RB-5009_Bridge tagged=RB-5009_Bridge,Eth1_SG-2100_Port2 vlan-ids=\
    1,50,100,200,300,400,500,600

# TCP/IP
#######################################
/ip neighbor discovery-settings
set discover-interface-list=all

/ip address
add address=192.168.5.250/24 interface=Server_VLAN50 network=192.168.5.0
add address=192.168.5.99/24 interface=Eth8_Management network=192.168.5.0

/ip cloud
set update-time=no

/ip dns
set allow-remote-requests=yes servers=192.168.5.1

/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked disabled=yes
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid disabled=yes
add action=accept chain=input comment="defconf: accept ICMP" disabled=yes \
    protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" disabled=yes \
    dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    disabled=yes in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    disabled=yes ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    disabled=yes ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related disabled=yes hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked disabled=yes
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid disabled=yes
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new disabled=yes in-interface-list=WAN

/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" disabled=yes \
    ipsec-policy=out,none out-interface-list=WAN

/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=192.168.10.1 routing-table=main \
    suppress-hw-offload=no

/ip ssh
set strong-crypto=yes

/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6

/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN

# System
#######################################
/system clock
set time-zone-autodetect=no time-zone-name=Pacific/Auckland

/system identity
set name=RB-5009

/system ntp client
set enabled=yes

/system ntp client servers
add address=192.168.5.1

/system package update
set channel=testing

/system routerboard settings
set cpu-frequency=auto

/tool mac-server
set allowed-interface-list=all

/tool mac-server mac-winbox
set allowed-interface-list=all

This is working for me and I have devices connected to the RB-5009 utilising VLAN 100 and 50 just fine, everything working as expected.