I have a RB2011UiAS that I have configured as follows:
Bridges:
br-lan (vlan2)
br-loopback
br-man (vlan4)
br-ser (vlan5)
Second problem is… I would like to use eth4 and eth7 (eth4 and eth5 would be preferable but atm I cannot do that) as RSTP ports going to two unmanaged gigE switches that handle the even/odd drops. Whenever I connect the two switches cross connected switches to their respective ports, I lose connectivity to vlan4 on switch2! Why? = /
Third … question really - How would I configure the switchchips bridge-nat to exchange traffic from a port to a specific vlan based on the mac address on the port? I did a search on the forum for bridge-nat but I didnt get a hit.
I’d like to make use of some older 2.4ghz + 5ghz WAPs I have around and set it so that all macs not matching a specific couple of entries will end up on separated vlan and firewall rules while the matching entries will end up on the LAN vlan.
Thank you! 
-
-
-
- Configs - - - -
-
-
/interface bridge
add forward-delay=4s name=br-lan
add name=br-loopback
add forward-delay=4s name=br-man
add forward-delay=4s name=br-ser
/interface ethernet
set [ find default-name=ether1 ] name=e1
set [ find default-name=ether2 ] master-port=e1 name=e2
set [ find default-name=ether3 ] master-port=e1 name=e3
set [ find default-name=ether4 ] master-port=e1 name=e4
set [ find default-name=ether5 ] master-port=e1 name=e5
set [ find default-name=ether10 ] name=e10
set [ find default-name=sfp1 ] master-port=e1 name=sfp1-gateway
/ip neighbor discovery
set e1 discover=no
set sfp1-gateway discover=no
/interface vlan
add interface=e1 l2mtu=1594 name=chip1-vlan2 vlan-id=2
add interface=e1 l2mtu=1594 name=chip1-vlan3 vlan-id=3
add interface=e1 l2mtu=1594 name=chip1-vlan4 vlan-id=4
add interface=e1 l2mtu=1594 name=chip1-vlan5 vlan-id=5
add interface=e10 l2mtu=1594 name=chip2-vlan2 vlan-id=2
add interface=e10 l2mtu=1594 name=chip2-vlan4 vlan-id=4
add interface=e10 l2mtu=1594 name=chip2-vlan5 vlan-id=5
/interface ethernet
set [ find default-name=ether6 ] master-port=e10 name=e6
set [ find default-name=ether7 ] master-port=e10 name=e7
set [ find default-name=ether8 ] master-port=e10 name=e8
set [ find default-name=ether9 ] master-port=e10 name=e9
/interface ethernet switch port
set 0 vlan-header=add-if-missing vlan-mode=secure
set 1 default-vlan-id=4 vlan-header=add-if-missing vlan-mode=secure
set 2 vlan-header=add-if-missing vlan-mode=secure
set 3 vlan-header=add-if-missing vlan-mode=secure
set 4 default-vlan-id=2 vlan-header=always-strip vlan-mode=secure
set 5 default-vlan-id=2 vlan-header=always-strip vlan-mode=secure
set 6 default-vlan-id=4 vlan-header=always-strip vlan-mode=secure
set 7 default-vlan-id=2 vlan-header=always-strip vlan-mode=secure
set 8 default-vlan-id=2 vlan-header=always-strip vlan-mode=secure
set 9 default-vlan-id=2 vlan-header=always-strip vlan-mode=secure
set 10 default-vlan-id=4 vlan-header=add-if-missing vlan-mode=secure
set 11 vlan-header=add-if-missing vlan-mode=secure
set 12 default-vlan-id=4 vlan-header=add-if-missing vlan-mode=secure
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot user profile
set [ find default=yes ] idle-timeout=none keepalive-timeout=2m mac-cookie-timeout=3d
/ip pool
add name=pool-lan ranges=192.168.202.100-192.168.202.200
add name=pool-ser ranges=192.168.205.100-192.168.205.200
/ip dhcp-server
add add-arp=yes address-pool=pool-lan always-broadcast=yes authoritative=yes disabled=no interface=br-lan
lease-time=2m30s name=dhcp-lan
add add-arp=yes address-pool=pool-ser always-broadcast=yes authoritative=yes disabled=no interface=br-ser
lease-time=2m30s name=dhcp-ser
/port
set 0 name=serial0
/routing ospf area
set [ find default=yes ] disabled=yes
add area-id=0.0.0.200 name=area200
/routing ospf instance
set [ find default=yes ] redistribute-other-ospf=as-type-2 redistribute-static=as-type-1 router-id=10.0.0.3
/routing ospf-v3 area
set [ find default=yes ] disabled=yes
/interface bridge port
add bridge=br-lan interface=chip1-vlan2
add bridge=br-man interface=chip1-vlan4
add bridge=br-ser interface=chip1-vlan5
add bridge=br-lan interface=chip2-vlan2
add bridge=br-man interface=chip2-vlan4
add bridge=br-ser interface=chip2-vlan5
/interface ethernet switch vlan
add independent-learning=no ports=e1,e2,e3,e4,e5,switch1-cpu switch=switch1 vlan-id=2
add independent-learning=yes ports=e1,e2,e3,switch1-cpu switch=switch1 vlan-id=3
add independent-learning=no ports=e1,e2,e3,switch1-cpu switch=switch1 vlan-id=4
add independent-learning=no ports=e2,e3,switch1-cpu switch=switch1 vlan-id=5
add ports=e10,e7,e8,e9,switch2-cpu switch=switch2 vlan-id=2
add ports=e6,e10,switch2-cpu switch=switch2 vlan-id=4
add independent-learning=no ports=e1,e2,e3,switch1-cpu switch=switch1 vlan-id=6
add ports=switch2-cpu switch=switch2 vlan-id=6
/ip address
add address=192.168.202.10/24 comment=LAN interface=br-lan network=192.168.202.0
add address=192.168.204.10/24 comment=Managment interface=br-man network=192.168.204.0
add address=192.168.205.10/24 comment=Servers interface=br-ser network=192.168.205.0
add address=10.0.0.3/32 interface=br-loopback network=10.0.0.3
/ip arp
add address=192.168.202.2 comment=“wireless access point” interface=br-lan mac-address=C0:A0:BB:FB:FF:DC
/ip dhcp-client
add comment=“ISP assignment” default-route-distance=0 dhcp-options=clientid,hostname disabled=no interface=
chip1-vlan3
/ip dhcp-server config
set store-leases-disk=immediately
/ip dhcp-server network
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip dns static
/ip firewall filter
add chain=input comment=“default configuration” protocol=icmp
add chain=input comment=“default configuration” connection-state=established
add chain=input comment=“default configuration” connection-state=related
add action=drop chain=input comment=“default configuration” in-interface=chip1-vlan3
add chain=forward comment=“default configuration” connection-state=established
add chain=forward comment=“default configuration” connection-state=related
add action=drop chain=forward comment=“default configuration” connection-state=invalid
add chain=input dst-port=3001 protocol=udp
/ip firewall nat
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
/ip proxy
/ip upnp
set allow-disable-external-interface=no
/lcd
set backlight-timeout=never default-screen=stats read-only-mode=yes
/lcd interface
set sfp1-gateway disabled=yes interface=sfp1-gateway
set e1 interface=e1 timeout=1s
set e2 disabled=yes interface=e2
set e3 disabled=yes interface=e3
set e4 disabled=yes interface=e4
set e5 disabled=yes interface=e5
set e6 disabled=yes interface=e6
set e7 disabled=yes interface=e7
set e8 disabled=yes interface=e8
set e9 disabled=yes interface=e9
set e10 disabled=yes interface=e10
/lcd interface pages
set 0 interfaces=e1
/routing ospf area range
add area=area200 range=192.168.200.0/21
/routing ospf interface
add dead-interval=45s hello-interval=9s interface=br-ser network-type=broadcast retransmit-interval=6s
transmit-delay=5s
add interface=br-loopback network-type=nbma passive=yes
add interface=br-lan network-type=broadcast passive=yes
add interface=br-man network-type=broadcast passive=yes
/routing ospf network
add area=area200 network=192.168.202.0/24
add area=area200 network=192.168.204.0/24
add area=area200 network=192.168.205.0/24
/routing prefix-lists
add chain=ospf-in prefix=192.168.0.0/16 prefix-length=0-32
add chain=ospf-in prefix=10.0.0.0/24 prefix-length=0-32
add chain=ospf-out prefix=192.168.0.0/16 prefix-length=0-32
add chain=ospf-out prefix=10.0.0.0/24 prefix-length=0-32
/system clock
set time-zone-name=America/New_York
/system identity
set name=rtr1
/system ntp client
set enabled=yes mode=unicast primary-ntp=— secondary-ntp=204.2.134.162
/system routerboard settings
set cpu-frequency=750MHz
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=e2
add interface=e3
add interface=e4
add interface=e5
add interface=e6
add interface=e7
add interface=e8
add interface=e9
add interface=e10
add
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=e2
add interface=e3
add interface=e4
add interface=e5
add interface=e6
add interface=e7
add interface=e8
add interface=e9
add interface=e10
add
[admin@rtr1]