RB4011iGS+RM plus CAP AC - VLANs in the home

Thanks to @pcunite and @mkx - for the help in an earlier post. I was attempting to setup a home network with a CRS125 series, but, decided to switch to the above hardware.

It appears I have all of my hard wired vlans working (and of course now I need a diagram).

First things first - I’ll list out my vlans and what I’m trying to do.
VLANS (note that I’m using smaller networks because its a home and I figure I’ll never need more than 30-60 addresses per vlan)
vlan10 - Home/Work - ether2 - access port - 10.1.10.0/27 - (Needs WiFi through CAP AC)
vlan20 - Gaming - ether3 - access port - 10.1.20.0/27
vlan30 - Servers - ether4 - access port - 10.1.30.0/27
vlan40 - IOT (Internet of Things) - ether6, ether7 - access port - 10.1.40.0/26 (Needs WiFi through CAP AC)
vlan50 - Guest WiFi - ether10 with connected cap AC - 10.1.50.0/27 (Needs WiFi through CAP AC)
vlan60 - Printers - ether8 - 10.1.60.0/27 (Needs WiFi through CAP AC)
vlan100 - Management vlan for network gear - ether5 - 10.1.100.0/27 (don’t ask me why I chose port 5… didn’t feel like redoing everything)

All of my wired ports seem to be working ok. I don’t have any inter-vlan routing setup, which I may need for certain devices.

I’ll post my current config here:
Interface

/interface bridge
add name=bridge-p2-10 protocol-mode=none vlan-filtering=yes
/interface vlan
add interface=bridge-p2-10 name=GAMING vlan-id=20
add interface=bridge-p2-10 name=HOME_WORK vlan-id=10
add interface=bridge-p2-10 name=IOT vlan-id=40
add interface=bridge-p2-10 name=MGMT_VLAN vlan-id=100
add interface=bridge-p2-10 name=PRINTERS vlan-id=60
add interface=bridge-p2-10 name=SERVERS vlan-id=30
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add name=WAN
add name=MGMT
add name=VLANS
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=bridge-p2-10 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether2 pvid=10
add bridge=bridge-p2-10 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether3 pvid=20
add bridge=bridge-p2-10 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether4 pvid=30
add bridge=bridge-p2-10 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether6 pvid=40
add bridge=bridge-p2-10 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether7 pvid=40
add bridge=bridge-p2-10 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether8 pvid=60
add bridge=bridge-p2-10 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether10
add bridge=bridge-p2-10 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether5 pvid=100
/interface bridge vlan
add bridge=bridge-p2-10 tagged=bridge-p2-10 untagged=ether4 vlan-ids=30
add bridge=bridge-p2-10 tagged=bridge-p2-10,ether10 untagged=ether6,ether7 vlan-ids=40
add bridge=bridge-p2-10 tagged=bridge-p2-10,ether10 untagged=ether8 vlan-ids=60
add bridge=bridge-p2-10 tagged=bridge-p2-10,ether10 untagged=ether2 vlan-ids=10
add bridge=bridge-p2-10 tagged=bridge-p2-10 untagged=ether3 vlan-ids=20
add bridge=bridge-p2-10 tagged=bridge-p2-10,ether10 vlan-ids=50
add bridge=bridge-p2-10 tagged=bridge-p2-10,ether10 untagged=ether5 vlan-ids=100
/interface list member
add interface=ether1 list=WAN
add interface=MGMT_VLAN list=MGMT
add interface=HOME_WORK list=VLANS
add interface=GAMING list=VLANS
add interface=SERVERS list=VLANS
add interface=IOT list=VLANS
add interface=PRINTERS list=VLANS
IP
/ip pool
add name=HOME_WORK_POOL ranges=10.1.10.2-10.1.10.30
add name=GAMING_POOL ranges=10.1.20.2-10.1.20.30
add name=SERVERS_POOL ranges=10.1.30.2-10.1.30.30
add name=IOT_POOL ranges=10.1.40.2-10.1.40.62
add name=PRINTERS_POOL ranges=10.1.60.2-10.1.60.30
add name=MGMT_POOL ranges=10.1.100.2-10.1.100.30
/ip dhcp-server
add address-pool=HOME_WORK_POOL disabled=no interface=HOME_WORK name=HOME_WORK_DHCP
add address-pool=GAMING_POOL disabled=no interface=GAMING name=GAMING_DHCP
add address-pool=SERVERS_POOL disabled=no interface=SERVERS name=SERVERS_DHCP
add address-pool=IOT_POOL disabled=no interface=IOT name=IOT_DHCP
add address-pool=PRINTERS_POOL disabled=no interface=PRINTERS name=PRINTERS_DHCP
add address-pool=MGMT_POOL disabled=no interface=MGMT_VLAN name=MGMT_DHCP
/ip address
add address=10.1.100.1/27 interface=MGMT_VLAN network=10.1.100.0
add address=10.1.10.1/27 interface=HOME_WORK network=10.1.10.0
add address=10.1.20.1/27 interface=GAMING network=10.1.20.0
add address=10.1.30.1/27 interface=SERVERS network=10.1.30.0
add address=10.1.40.1/26 interface=IOT network=10.1.40.0
add address=10.1.60.1/27 interface=PRINTERS network=10.1.60.0
/ip dhcp-client
add disabled=no interface=ether1
/ip dhcp-server network
add address=10.1.10.0/27 dns-server=10.1.100.1 gateway=10.1.10.1
add address=10.1.20.0/27 dns-server=10.1.100.1 gateway=10.1.20.1
add address=10.1.30.0/27 dns-server=10.1.100.1 gateway=10.1.30.1
add address=10.1.40.0/26 dns-server=10.1.100.1 gateway=10.1.40.1
add address=10.1.60.0/27 dns-server=10.1.100.1 gateway=10.1.60.1
add address=10.1.100.0/27 dns-server=10.1.100.1 gateway=10.1.100.1
/ip dns
set allow-remote-requests=yes
/ip firewall address-list
add address=10.1.10.0/27 list=HOME_WORK_VLAN
add address=10.1.20.0/27 list=GAMING_VLAN
add address=10.1.30.0/27 list=SERVERS_VLAN
add address=10.1.40.0/26 list=IOT_VLAN
add address=10.1.50.0/27 list=GUEST_WIFI_VLAN
add address=10.1.60.0/27 list=PRINTERS_VLAN
add address=10.1.100.0/27 list=MGMT_VLAN
/ip neighbor discovery-settings
set discover-interface-list=MGMT
/ip firewall filter
add action=drop chain=input comment=“Rule 1 Input Chain Drop Invalid #LMB” connection-state=invalid
add action=drop chain=forward comment=“Rule 2 Forward Chain Drop Invalid #LMB” connection-state=invalid
add action=accept chain=input comment=“Rule 3 Modified for interface list #LMB” in-interface-list=MGMT
add action=accept chain=input comment=“Related to Rule 3 Accept internal vlans for dns input chain” in-interface-list=VLANS
add action=accept chain=input comment=“Rule 4 Input Chain Accept established #LMB” connection-state=established
add action=drop chain=input comment=“Rule 5 Drop all others to router #LMB”
add action=accept chain=forward comment=“Rule 6 Modified allow new connections from all VLANS #LMB” connection-state=new in-interface-list=VLANS out-interface-list=WAN
add action=accept chain=forward comment=“Rule 7 Forward Chain Allow related connections through router #LMB” connection-state=related
add action=accept chain=forward comment=“Rule 8 Forward Chain Allow established connections through router #LMB” connection-state=established
add action=drop chain=forward comment=“Rule 9 Drop all other connections through router”
/ip firewall nat
add action=masquerade chain=srcnat comment=“Masq for internet wan port ether 1” out-interface-list=WAN

Now for my questions:

So now I’m confused what to do with the CAP AC?
(Technically, I would like to have wifi on vlans 10, 40, 50, and 60 (probably with all seperate SSID’s)

Do I need CAPSMan?
(I can’t see myself ever having more than one CAP AC for the next few years- although one day I may have more.)

Do I need get rid of the default vlan of 0 on interface ethernet switch port? If so, what do I set it to?

If you want to have several SSIDs, one per VLAN, then you need trunk port (carrying all needed VLANs) both on RB4011 and cAP ac … and then configure plenty virtual APs and set them as access ports (with pvid set) of corresponding VLANs.

No use of capsMan if you won’t run a few APs.

Don’t bother with /interface ethernet switch configuration subtree, it’s not important in your case. And default vlan id = 0 should be just fine, it means untagged.

Assuming you are following this guide, set the cAP AC exactly as demonstrated in the article. Always think of a SSID as a VLAN Access port, a port that handles as many wifi clients that know the password. You don’t need to use CAPSMan with only a single unit.

Regarding the router, those settings are the default. You don’t have to set them yourself. They will appear in the export, but you may disregard them.

So the CAP AC is refusing to give out an IP on port 2.

Any ideas?

I’ve tried the 5 second reset
Manually setting my laptop to 192.168.88.2 while connected to port 2
I’ve tried mac addresses through winbox

How the heck do you get into this thing?

Isn’t it fun? : - )

Plug your PC and cAP AC into a switch. Manually assign the PC an .88 network (192.168.88.123). Reset the cAP AC. When it boots back up, you can connect to it via IP or MAC.

Thanks. I seem to have gotten in via the MAC route. However, that MAC wasn’t listed on the back.
I had to use the discover in winbox, and it finally found it.

I also have no idea how they’ve firewall’d off ethernet port 1, as there are not firewall rules in this thing either.

So I think I’m 90% of the way there.

I got the CAP AC working with its Home, IOT, Guest, and Printer vlans.

However, I’m wondering in all of this- how do I do inter-vlan routing? i.e. I want a laptop on vlan10 to talk to the printer on vlan60?
Do I need some static routes? Or just firewall filter rules?

Its a bit late right now, but, I’ll see if I can get some time in the next few days to post the configs and a diagram if needed.

You should add some accept rules to your firewall. Right now you have

add action=accept chain=forward comment="Rule 6 Modified allow new connections from all VLANS #LMB" connection-state=new in-interface-list=VLANS out-interface-list=WAN

So you need some similar rules for particular VLANx->VLANy relations (i.e. in-interface=HOME-WORK out-interface=SERVERS). With the right rule set the above rule only works for packets with connection-state=new and is thus direction-selective. If you want bi-directional connectivity, you need a pair of rules.

The firewall filter rules posted in your initial post are quite sub-optimal: ordering is not optimal (rules are evaluated from top to bottom) and you don’t have fasttrack enabled. Both means higher load on router’s CPU. I suggest you to have a look at default firewall rule set (you can get it by running /system default-configuration print … scroll down a bit) and take that as base for your own improvements/additions.

The firewall filter rules posted in your initial post are quite sub-optimal: ordering is not optimal (rules are evaluated from top to bottom) and you don’t have fasttrack enabled. Both means higher load on router’s CPU.

Hmm… more things to think about.
I was trying to use the examples in the vlan article by pcunite and the examples in the Learn Mikrotik book I bought (steve discher).

I’ll post my whole config on both the RB4011 and CAP AC.

RB4011/interface bridge
add name=bridge-p2-10 protocol-mode=none vlan-filtering=yes

/interface vlan
add interface=bridge-p2-10 name=GAMING vlan-id=20
add interface=bridge-p2-10 name=GUEST_WIFI vlan-id=50
add interface=bridge-p2-10 name=HOME_WORK vlan-id=10
add interface=bridge-p2-10 name=IOT vlan-id=40
add interface=bridge-p2-10 name=MGMT_VLAN vlan-id=100
add interface=bridge-p2-10 name=PRINTERS vlan-id=60
add interface=bridge-p2-10 name=SERVERS vlan-id=30
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add name=WAN
add name=MGMT
add name=VLANS
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=bridge-p2-10 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether2 pvid=10
add bridge=bridge-p2-10 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether3 pvid=20
add bridge=bridge-p2-10 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether4 pvid=30
add bridge=bridge-p2-10 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether6 pvid=40
add bridge=bridge-p2-10 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether7 pvid=40
add bridge=bridge-p2-10 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether8 pvid=60
add bridge=bridge-p2-10 frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=ether10
add bridge=bridge-p2-10 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether5 pvid=100
/interface bridge vlan
add bridge=bridge-p2-10 tagged=bridge-p2-10 untagged=ether4 vlan-ids=30
add bridge=bridge-p2-10 tagged=bridge-p2-10,ether10 untagged=ether6,ether7 vlan-ids=40
add bridge=bridge-p2-10 tagged=bridge-p2-10,ether10 untagged=ether8 vlan-ids=60
add bridge=bridge-p2-10 tagged=bridge-p2-10,ether10 untagged=ether2 vlan-ids=10
add bridge=bridge-p2-10 tagged=bridge-p2-10 untagged=ether3 vlan-ids=20
add bridge=bridge-p2-10 tagged=bridge-p2-10,ether10 vlan-ids=50
add bridge=bridge-p2-10 tagged=bridge-p2-10,ether10 untagged=ether5 vlan-ids=100
/interface list member
add interface=ether1 list=WAN
add interface=MGMT_VLAN list=MGMT
add interface=HOME_WORK list=VLANS
add interface=GAMING list=VLANS
add interface=SERVERS list=VLANS
add interface=IOT list=VLANS
add interface=PRINTERS list=VLANS
add interface=GUEST_WIFI list=VLANS
/ip pool
add name=HOME_WORK_POOL ranges=10.1.10.2-10.1.10.30
add name=GAMING_POOL ranges=10.1.20.2-10.1.20.30
add name=SERVERS_POOL ranges=10.1.30.2-10.1.30.30
add name=IOT_POOL ranges=10.1.40.2-10.1.40.62
add name=PRINTERS_POOL ranges=10.1.60.2-10.1.60.30
add name=MGMT_POOL ranges=10.1.100.3-10.1.100.30
add name=GUEST_WIFI_POOL ranges=10.1.50.2-10.1.50.30
/ip dhcp-server
add address-pool=HOME_WORK_POOL disabled=no interface=HOME_WORK name=HOME_WORK_DHCP
add address-pool=GAMING_POOL disabled=no interface=GAMING name=GAMING_DHCP
add address-pool=SERVERS_POOL disabled=no interface=SERVERS name=SERVERS_DHCP
add address-pool=IOT_POOL disabled=no interface=IOT name=IOT_DHCP
add address-pool=PRINTERS_POOL disabled=no interface=PRINTERS name=PRINTERS_DHCP
add address-pool=MGMT_POOL disabled=no interface=MGMT_VLAN name=MGMT_DHCP
add address-pool=GUEST_WIFI_POOL disabled=no interface=GUEST_WIFI name=GUEST_WIFI_DHCP
/ip address
add address=10.1.100.1/27 interface=MGMT_VLAN network=10.1.100.0
add address=10.1.10.1/27 interface=HOME_WORK network=10.1.10.0
add address=10.1.20.1/27 interface=GAMING network=10.1.20.0
add address=10.1.30.1/27 interface=SERVERS network=10.1.30.0
add address=10.1.40.1/26 interface=IOT network=10.1.40.0
add address=10.1.60.1/27 interface=PRINTERS network=10.1.60.0
add address=10.1.50.1/27 interface=GUEST_WIFI network=10.1.50.0
/ip dhcp-client
add disabled=no interface=ether1
/ip dhcp-server network
add address=10.1.10.0/27 dns-server=10.1.100.1 gateway=10.1.10.1
add address=10.1.20.0/27 dns-server=10.1.100.1 gateway=10.1.20.1
add address=10.1.30.0/27 dns-server=10.1.100.1 gateway=10.1.30.1
add address=10.1.40.0/26 dns-server=10.1.100.1 gateway=10.1.40.1
add address=10.1.50.0/27 dns-server=10.1.100.1 gateway=10.1.50.1
add address=10.1.60.0/27 dns-server=10.1.100.1 gateway=10.1.60.1
add address=10.1.100.0/27 dns-server=10.1.100.1 gateway=10.1.100.1
/ip dns
set allow-remote-requests=yes
/ip firewall address-list
add address=10.1.10.0/27 list=HOME_WORK_VLAN
add address=10.1.20.0/27 list=GAMING_VLAN
add address=10.1.30.0/27 list=SERVERS_VLAN
add address=10.1.40.0/26 list=IOT_VLAN
add address=10.1.50.0/27 list=GUEST_WIFI_VLAN
add address=10.1.60.0/27 list=PRINTERS_VLAN
add address=10.1.100.0/27 list=MGMT_VLAN
/ip neighbor discovery-settings
set discover-interface-list=MGMT
/ip firewall filter
add action=drop chain=input comment=“Rule 1 Input Chain Drop Invalid #LMB” connection-state=invalid
add action=drop chain=forward comment=“Rule 2 Forward Chain Drop Invalid #LMB” connection-state=invalid
add action=accept chain=input comment=“Rule 3 Modified for interface list #LMB” in-interface-list=MGMT
add action=accept chain=input comment=“Related to Rule 3 Accept internal vlans for dns input chain” in-interface-list=VLANS
add action=accept chain=input comment=“Rule 4 Input Chain Accept established #LMB” connection-state=established
add action=drop chain=input comment=“Rule 5 Drop all others to router #LMB”
add action=accept chain=forward comment=“Rule 6 Modified allow new connections from all VLANS #LMB” connection-state=new in-interface-list=VLANS out-interface-list=WAN
add action=accept chain=forward comment=“Related to rule 6 Modified allow new connections from the MGMT vlan #LMB” connection-state=new in-interface-list=MGMT out-interface-list=WAN
add action=accept chain=forward comment=“Rule 7 Forward Chain Allow related connections through router #LMB” connection-state=related
add action=accept chain=forward comment=“Rule 8 Forward Chain Allow established connections through router #LMB” connection-state=established
add action=drop chain=forward comment=“Rule 9 Drop all other connections through router”
/ip firewall nat
add action=masquerade chain=srcnat comment=“Masq for internet wan port ether 1” out-interface-list=WAN


CAP AC/interface bridge
add admin-mac=bla auto-mac=no comment=“bridge for cap ac 1” name=bridge-jt-cap-ac protocol-mode=none vlan-filtering=yes
/interface wireless
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX disabled=no distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid=TH-HOME wireless-protocol=802.11
/interface vlan
add interface=bridge-jt-cap-ac name=MGMT_VLAN vlan-id=100
/interface list
add name=MGMT
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk comment=“vlan 10 - home - work - laptops - master wlan2” eap-methods=“” mode=dynamic-keys supplicant-identity=MikroTik wpa2-pre-shared-key=“”
add authentication-types=wpa2-psk comment=“vlan 40 - IOT vlan -master wlan2” eap-methods=“” management-protection=allowed mode=dynamic-keys name=vlan40-th-iot supplicant-identity=“” wpa2-pre-shared-key=“”
add authentication-types=wpa2-psk comment=“vlan50 - guest wifi - master wlan2” eap-methods=“” management-protection=allowed mode=dynamic-keys name=vlan50-guest-wifi supplicant-identity=“” wpa2-pre-shared-key=
add authentication-types=wpa2-psk eap-methods=“” management-protection=allowed mode=dynamic-keys name=vlan60-printers-24G supplicant-identity=“” wpa2-pre-shared-key=
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX disabled=no distance=indoors frequency=auto installation=indoor mode=ap-bridge security-profile=vlan60-printers-24G ssid=TH-PRINT wireless-protocol=802.11
add disabled=no keepalive-frames=disabled mac-address=bla master-interface=wlan2 multicast-buffering=disabled name=wlan3-vlan40-iot security-profile=vlan40-th-iot ssid=TH-IOT wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
add disabled=no keepalive-frames=disabled mac-address=bla master-interface=wlan2 multicast-buffering=disabled name=wlan4-vlan50-guest security-profile=vlan50-guest-wifi ssid=TH-GUEST wds-cost-range=0 wds-default-cost=0 wps-mode=
disabled
/interface bridge port
add bridge=bridge-jt-cap-ac comment=defconf frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=ether1
add bridge=bridge-jt-cap-ac comment=defconf interface=ether2
add bridge=bridge-jt-cap-ac comment=“vlan 60 - printers” frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=wlan1 pvid=60
add bridge=bridge-jt-cap-ac comment=“vlan 10 - home wifi vlan” frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=wlan2 pvid=10
add bridge=bridge-jt-cap-ac comment=“vlan 40 iot vlan” frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=wlan3-vlan40-iot pvid=40
add bridge=bridge-jt-cap-ac comment=“vlan 50 - guest wifi” frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=wlan4-vlan50-guest pvid=50
/interface bridge vlan
add bridge=bridge-jt-cap-ac tagged=ether1 untagged=wlan1 vlan-ids=60
add bridge=bridge-jt-cap-ac tagged=ether1 untagged=wlan2 vlan-ids=10
add bridge=bridge-jt-cap-ac tagged=ether1 untagged=wlan3-vlan40-iot vlan-ids=40
add bridge=bridge-jt-cap-ac tagged=ether1 untagged=wlan4-vlan50-guest vlan-ids=50
add bridge=bridge-jt-cap-ac tagged=bridge-jt-cap-ac,ether1 vlan-ids=100
/interface list member
add interface=MGMT_VLAN list=MGMT

/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip address
add address=10.1.100.2/27 interface=MGMT_VLAN network=10.1.100.0
/ip neighbor discovery-settings
set discover-interface-list=MGMT
/ip route
add distance=1 gateway=10.1.100.1

Current Issues I’m trying to solve:

-No internet access on management vlan 10.1.100.0/27 for the cap ac (so I can’t get router os updates)
-Have a printer on vlan60 talk to vlan10
-Learn better firewall rules


Thanks all for the help, its been a good and fun learning experience.

All equipment should be on its own VLAN which I call the Base (MGMT) VLAN. Do this before you do anything else, and have a PC plugged into this VLAN so you can administrate it. When you have that understood and working, you can add more VLANs. Naturally, everyone wants everything in the beginning. But you have to run before you can fly. : - )

I show an example of how to open up a VLAN completely, or via ports under the Public VLAN, Printer & Server topic here. I know it may get tiring to hear it, but everything you need to know is in that topic. Print it out, memorize it.

Learning better firewall rules takes time. You shouldn’t deviate from my examples too much, as you have done, until you really understand them. It will take you 100 hours to understand them. However, firewall rules are a personal thing and you’ll develop and create your own and that is a good thing.

Thanks. I am reading your article, but, just digesting what I can at a time.
I’ve taken to downloading all of your examples and putting them in vscode with the mikrotik extension in tabs.
I usually learn by doing, so sometimes I just have to hack away at it, before it starts making sense.

In my case, I called the BASE_VLAN, MGMT_VLAN.
I did get the printer to work I believe with some new firewall rules.
I also redid the firewall rules based on your examples- and the default config (I did save my old ones just in case).
The CAP AC now has internet access - it did not have a dns server set (ooops).

The interesting part is, that this “Learn Mikrotik book I bought” suggests blowing away the default firewall config and using some of their examples which are slighty different.
i.e. they drop invalid connections first… then accept only new on the input chain.
I wonder why the difference in philosophy?

Here is what i’m running now for firewall. I also put that fasttrack rule in there as suggested by mkx.
/ip firewall filter
add action=accept chain=input comment=“Allow Estab & Related” connection-state=established,related
add action=accept chain=input comment=“Allow VLAN” in-interface-list=VLANS
add action=accept chain=input comment=“Allow Mgmt_Vlan Full Access” in-interface=MGMT_VLAN
add action=drop chain=input comment=Drop
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack” connection-state=established,related
add action=accept chain=forward comment=“Allow Estab & Related” connection-state=established,related
add action=accept chain=forward comment=“Printer Rule 1 for Home vlan” connection-state=new dst-address=10.1.60.3 in-interface=HOME_WORK out-interface=PRINTERS src-address=10.1.10.0/27
add action=accept chain=forward comment=“Printer Rule 2 for Home vlan” connection-state=new dst-address=10.1.10.0/27 in-interface=PRINTERS out-interface=HOME_WORK src-address=10.1.60.3
add action=accept chain=forward comment=“VLAN Internet Access only” connection-state=new in-interface-list=VLANS out-interface-list=WAN
add action=drop chain=forward comment=Drop

For starters the manual tells you to use this rule. So, unless you have a good reason, I imagine most people implement it without thinking. Was any explanation given for why you should use this rule and put it first? Probably not. However, I will explain my rules.

Understand that whatever method you use, you must be consistent. My philosophy is to be strict in what is allowed. This requires that there be a default drop for everything else. If you don’t follow that thinking completely, then you need to check the invalid state. Understand that if a packet is not New, Established, or Related, it is automatically an Invalid packet.

My rules:
I feel that the first rule should always be what you process the most (or will expect to anyway). This will give you the most performance. Do you have millions of invalid connections hitting your router? If so, then by all means put that first. My first rule only checks for established or related, of which is my most common. Any packet that is not in those two states, is either new or invalid. It can’t be anything else. Because the first rule did not catch that packet, it will now be checked by the next rule.

Any packet making it past my first rule is unknown to me. It could fall through many rules, until we find out what this thing is.

Knowing that this packet might be invalid means that every subsequent rule must, generally speaking, check for New. You will notice that nearly all my forward rules do this in fact, for this very reason. So, New connections get identified and then are sent to the first rule thereafter since they only need to be identified one time. Identify a packet, Put it in catch all, Else drop it.

Okay, okay. But why then do I not show connection-state=new checking on the input rules? Well, that I’m afraid is my mistake. Understand that firewall security was not the focus of the article. In fact, the second input rule (comment=“Allow VLAN”) was intentionally shown only as means of brevity. You absolutely should not be doing that!

What have we learned? Checking for invalid makes sense based on how, what, why, and when you’re checking the packet state.

For completeness sake: in addition to connection states listed by @pcunite (new, established, related and invalid) there’s another one: untracked. However this is not an usual state, firewall rules (most probably in raw) have to explicitly untrack certain packets. Default firewall rules treat established,related,untracked equally.

And a comment on firewall filter cookbook recipes, found in books and internet: default firewall rules evolved through time. Current default rules are here since two yearss ago (or something) and most users on this forum find them pretty good basis. Previous ROS versions featured default firewall setup which was … less optimal … and replacing them with different set of rules made more sense.

Was any explanation given for why you should use this rule and put it first?

For reference - the book is here:
https://www.ispsupplies.com/ISP-Services-LMT-B2C

The only explanation they give is - “the default configuration quickly becomes too restrictive for anything but a home router”
Copyright on the book is also 2016 too. So who knows. It says it was updated for Router OS version 6.

At any rate, I was just trying to study both examples and learn from there. I can stick to the default for now- and the examples you’ve posted.
Thanks again.

Understand that firewall security was not the focus of the article. In fact, the second input rule (comment=“Allow VLAN”) was intentionally shown only as means of brevity. You absolutely should not be doing that!

I’ll have a look at that wiki article and I’m still studying the default config…

Do you have a more secure example? (even in the book that I have - they pretty much do the same thing, except with an address list)
Would that be something like - restrict by tcp/udp port? dns? dhcp?

I’m not the authority on firewall rules. An example would look something like this:

# Sample INPUT example limiting Router exposure from the LAN (VLAN)
/ip firewall filter
add chain=input action=accept connection-state=established,related comment="Allow Estab & Related"
add chain=input action=accept connection-state=new in-interface-list=VLANS dst-port=53 protocol=udp comment="Allow VLAN DNS"
add chain=input action=accept connection-state=new in-interface=MGMT_VLAN  comment="Allow Mgmt_Vlan Full Access"
add chain=input action=drop comment="Drop"

Do you use interface lists more than address lists because of performance?

I don’t know which is more performant. But I must admit a hate with Address Lists and seeing all those ungainly things showing up there without a way to put them into neat little folders. I would assume, not having access to RouterOS source code, that the interface itself would be the fastest way. But if you have several interfaces that need similar access, well, a list is cleaner in that regard. And so, here we are.

To be more clear, I like thinking about interfaces vs. addresses. Addressing can change, but that interface, well it was designed by me to always perform that function. It has a name, and it makes sense to me. What are addresses? A bunch of numbers?