RB4011iGS+ VLAN filtering issues.

RouterOS Beginner Basics
1

I have spent weeks determined not to let this get the better of me. I have read all the forum posts and various tutorials. I’ve experimented again and again, but I am now accepting defeat…I have a fairly basic set up using a RB760iGS. Whenever I turn on VLAN filtering for the bridge using the setup below, it all seems fine for a few days, then my issues begin. The clients on the VLANs get an IP address from the DHCP server and my untagged native VLAN traffic is fine, but I then find that that devices stop being able to access the internet on the WAN.

Ether1 is a WAN and ether ports 2-10 have a mix of access and trunk ports with 4 VLANs. I know that I’m doing something silly but for the life of me cannot figure it out. I have never had a router / switch ever defeat me like this. Can someone help me understand what the issue is please?


/interface bridge
add admin-mac=33:33:33:33:33:33 auto-mac=no comment=defconf name=LanBridge protocol-mode=none vlan-filtering=yes
add interface=LanBridge name=VLAN5 vlan-id=5
add interface=LanBridge name=VLAN10 vlan-id=10
add interface=LanBridge name=VLAN20 vlan-id=20
add interface=LanBridge name=VLAN30 vlan-id=30
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=all-vlan
add comment="VLAN list" name=vlan
add name=Subnets
add comment="All LAN/VLAN, exclude WAN" exclude=WAN include=LAN,vlan name="all lan/vlan"
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=dhcp ranges=192.168.2.2-192.168.2.254
add name=dhcp_pool5 ranges=192.168.5.2-192.168.5.254
add name=dhcp_pool10 ranges=192.168.10.2-192.168.10.254
add name=dhcp_pool20 ranges=192.168.20.2-192.168.20.254
add name=dhcp_pool30 ranges=192.168.30.2-192.168.30.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=LanBridge name=defconf
add address-pool=dhcp_pool5 disabled=no interface=VLAN5 lease-time=3d name=dhcp5 src-address=192.168.5.1
add address-pool=dhcp_pool10 disabled=no interface=VLAN10 lease-time=3d name=dhcp10 src-address=192.168.10.1
add address-pool=dhcp_pool20 disabled=no interface=VLAN20 lease-time=3d name=dhcp20 src-address=192.168.20.1
add address-pool=dhcp_pool30 disabled=no interface=VLAN30 lease-time=3d name=dhcp30 src-address=192.168.30.1

/interface bridge port
add bridge=LanBridge ingress-filtering=yes interface=ether2
add bridge=LanBridge frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes \
    interface=ether3 pvid=30
add bridge=LanBridge frame-types=admit-only-untagged-and-priority-tagged interface=\
    ether4 pvid=30
add bridge=LanBridge ingress-filtering=yes interface=ether5
add bridge=LanBridge ingress-filtering=yes interface=ether6
add bridge=LanBridge ingress-filtering=yes interface=ether7
add bridge=LanBridge interface=ether8
add bridge=LanBridge ingress-filtering=yes interface=ether9
add bridge=LanBridge ingress-filtering=yes interface=ether10
add bridge=LanBridge comment=defconf interface=sfp-sfpplus1

/ip neighbor discovery-settings
set discover-interface-list=LAN

/interface bridge vlan
add bridge=LanBridge tagged=ether7,ether8,ether9,ether10,LanBridge untagged=ether3,ether4 vlan-ids=30
add bridge=LanBridge tagged=ether7,ether8,ether9,ether10,LanBridge vlan-ids=5
add bridge=LanBridge tagged=ether7,ether8,ether9,ether10,LanBridge vlan-ids=10
add bridge=LanBridge tagged=ether7,ether8,ether9,ether10,LanBridge vlan-ids=20
/interface list member
add nterface=LanBridge list=LAN
add  interface=ether1 list=WAN
add interface=VLAN5 list=all-vlan
add interface=VLAN10 list=all-vlan
add interface=VLAN20 list=all-vlan
add interface=VLAN30 list=all-vlan
add interface=VLAN5 list=vlan
add interface=VLAN10 list=vlan
add interface=VLAN20 list=vlan
add interface=VLAN30 list=vlan
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=ether6 list=LAN
add interface=ether7 list=LAN
add interface=ether8 list=LAN
add interface=ether9 list=LAN
add interface=ether10 list=LAN
/ip address
add address=192.168.88.1/24 disabled=yes interface=LanBridge network=192.168.88.0
add address=192.168.88.1/24 disabled=yes interface=LanBridge network=192.168.88.0
add address=192.168.2.1/24 interface=ether2 network=192.168.2.0
add address=192.168.5.1/24 interface=VLAN5 network=192.168.5.0
add address=192.168.10.1/24 interface=VLAN10 network=192.168.10.0
add address=192.168.20.1/24 interface=VLAN20 network=192.168.20.0
add address=192.168.30.1/24 interface=VLAN30 network=192.168.30.0
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=ether1
/ip dhcp-server lease
add address=192.168.2.45 client-id=1:0:11:32:52:85:56 disabled=yes mac-address=\
    00:11:32:52:85:56 server=defconf
add address=192.168.2.11 mac-address=00:23:24:3C:69:EF server=defconf
add address=192.168.2.45 client-id=1:0:11:32:52:85:55 mac-address=00:11:32:52:85:55 server=defconf
add address=192.168.30.45 client-id=1:0:11:32:52:85:56 mac-address=00:11:32:52:85:56 server=dhcp30
/ip dhcp-server network
add address=192.168.2.0/24 dns-server=192.168.2.1 gateway=192.168.2.1 netmask=24
add address=192.168.5.0/24 dns-server=192.168.5.1 gateway=192.168.5.1 netmask=24
add address=192.168.10.0/24 dns-server=192.168.10.1 gateway=192.168.10.1 netmask=24
add address=192.168.20.0/24 dns-server=192.168.20.1 gateway=192.168.20.1 netmask=24
add address=192.168.30.0/24 dns-server=192.168.30.1 gateway=192.168.30.1 netmask=24
add address=192.168.88.0/24 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes cache-max-ttl=3d cache-size=1024KiB max-concurrent-queries=1000 \
    max-concurrent-tcp-sessions=2000
/ip dns static
add address=192.168.88.1 name=router.lan
add address=192.168.2.1
add address=192.168.2.6
add address=192.168.2.45
add address=192.168.2.13
add address=192.168.2.11
add address=192.168.30.25
add address=192.168.2.3
add address=192.168.2.21
add address=192.168.2.1
/ip firewall address-list
add address=192.168.2.0/24 list=192.168.2.0/24
add address=192.168.5.0/24 list=192.168.5.0/24
add address=192.168.10.0/24 list=192.168.10.0/24
add address=192.168.20.0/24 list=192.168.20.0/24
add address=192.168.30.0/24 list=192.168.30.0/24
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid log-prefix=drop-invalid_
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface=ether1
add action=drop chain=input comment="Drop DNS requests from WAN UDP\
    \n" connection-state="" dst-port=53 in-interface=ether1 protocol=udp
add action=drop chain=input comment="Drop DNS requests from WAN TCP" connection-state="" dst-port=53 in-interface=\
    ether1 protocol=tcp
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=input comment="Allow DNS from LAN/VLAN" dst-port=53 in-interface-list="all lan/vlan" \
    protocol=tcp
add action=accept chain=input comment="Allow DNS from LAN/VLAN" dst-port=53 in-interface-list="all lan/vlan" \
    protocol=udp
add action=accept chain=input comment="Allow DNS requests from all (LAN/VLANs)subnets for UDP" disabled=yes dst-port=\
    53 protocol=udp src-address=192.168.0.0/16
add action=accept chain=input comment="Allow DNS requrests from all (LAN/VLANs) subnets TCP" disabled=yes dst-port=53 \
    protocol=tcp src-address=192.168.0.0/16
add action=drop chain=forward disabled=yes dst-address=192.168.2.0/24 src-address=!192.168.2.0/24
add action=drop chain=forward comment="Drop all inter vlan traffic\
    \n" in-interface-list=vlan log-prefix=INTER-VLAN-DROP out-interface-list=vlan
add action=accept chain=forward
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
2

Gotta go out but a quick look
add address=192.168.2.1/24 interface**=ether2** network=192.168.2.0

should be your bridge.

3

Thanks for the quick response, I’ve updated that as you suggested but I think there is something else, because same deal. See updated below

/interface vlan
add admin-mac=33:33:33:33:33:33 auto-mac=no comment=defconf name=LanBridge protocol-mode=none vlan-filtering=yes
add interface=LanBridge name=VLAN5 vlan-id=5
add interface=LanBridge name=VLAN10 vlan-id=10
add interface=LanBridge name=VLAN20 vlan-id=20
add interface=LanBridge name=VLAN30 vlan-id=30
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=all-vlan
add comment="VLAN list" name=vlan
add name=Subnets
add comment="All LAN/VLAN, exclude WAN" include=LAN,vlan name="all lan/vlan"
set [ find default=yes ] supplicant-identity=MikroTik

/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=dhcp ranges=192.168.2.2-192.168.2.254
add name=dhcp_pool5 ranges=192.168.5.2-192.168.5.254
add name=dhcp_pool10 ranges=192.168.10.2-192.168.10.254
add name=dhcp_pool20 ranges=192.168.20.2-192.168.20.254
add name=dhcp_pool30 ranges=192.168.30.2-192.168.30.254

/ip dhcp-server
add address-pool=dhcp disabled=no interface=LanBridge name=defconf
add address-pool=dhcp_pool5 disabled=no interface=VLAN5 lease-time=3d name=dhcp5 src-address=192.168.5.1
add address-pool=dhcp_pool10 disabled=no interface=VLAN10 lease-time=3d name=dhcp10 src-address=192.168.10.1
add address-pool=dhcp_pool20 disabled=no interface=VLAN20 lease-time=3d name=dhcp20 src-address=192.168.20.1
add address-pool=dhcp_pool30 disabled=no interface=VLAN30 lease-time=3d name=dhcp30 src-address=192.168.30.1

/interface bridge port
add bridge=LanBridge comment=defconf ingress-filtering=yes interface=ether2
add bridge=LanBridge frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes \
    interface=ether3 pvid=30
add bridge=LanBridge frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=\
    yes interface=ether4 pvid=30
add bridge=LanBridge ingress-filtering=yes interface=ether5 trusted=yes
add bridge=LanBridge ingress-filtering=yes interface=ether6 trusted=yes
add bridge=LanBridge ingress-filtering=yes interface=ether7 trusted=yes
add bridge=LanBridge ingress-filtering=yes interface=ether8 trusted=yes
add bridge=LanBridge ingress-filtering=yes interface=ether9 trusted=yes
add bridge=LanBridge ingress-filtering=yes interface=ether10 trusted=yes
add bridge=LanBridge comment=defconf interface=sfp-sfpplus1

/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-vlan=yes

/ip neighbor discovery-settings
set discover-interface-list=LAN

/interface bridge vlan
add bridge=LanBridge tagged=ether7,ether8,ether9,ether10,LanBridge untagged=ether3,ether4 vlan-ids=30
add bridge=LanBridge tagged=ether7,ether8,ether9,ether10,LanBridge vlan-ids=5
add bridge=LanBridge tagged=ether7,ether8,ether9,ether10,LanBridge vlan-ids=10
add bridge=LanBridge tagged=ether7,ether8,ether9,ether10,LanBridge vlan-ids=20
/interface list member
add interface=LanBridge list=LAN
add interface=ether1 list=WAN
add interface=VLAN5 list=all-vlan
add interface=VLAN10 list=all-vlan
add interface=VLAN20 list=all-vlan
add interface=VLAN30 list=all-vlan
add interface=VLAN5 list=vlan
add interface=VLAN10 list=vlan
add interface=VLAN20 list=vlan
add interface=VLAN30 list=vlan
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=ether6 list=LAN
add interface=ether7 list=LAN
add interface=ether8 list=LAN
add interface=ether9 list=LAN
add interface=ether10 list=LAN

/ip address
add address=192.168.88.1/24 disabled=yes interface=LanBridge network=192.168.88.0
add address=192.168.2.1/24 interface=LanBridge network=192.168.2.0
add address=192.168.5.1/24 interface=VLAN5 network=192.168.5.0
add address=192.168.10.1/24 interface=VLAN10 network=192.168.10.0
add address=192.168.20.1/24 interface=VLAN20 network=192.168.20.0
add address=192.168.30.1/24 interface=VLAN30 network=192.168.30.0

/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=ether1

/ip dhcp-server network
add address=192.168.2.0/24 dns-server=192.168.2.1 gateway=192.168.2.1 netmask=24
add address=192.168.5.0/24 dns-server=192.168.5.1 gateway=192.168.5.1 netmask=24
add address=192.168.10.0/24 dns-server=192.168.10.1 gateway=192.168.10.1 netmask=24
add address=192.168.20.0/24 dns-server=192.168.20.1 gateway=192.168.20.1 netmask=24
add address=192.168.30.0/24 dns-server=192.168.30.1 gateway=192.168.30.1 netmask=24
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1

/ip dns
set allow-remote-requests=yes cache-max-ttl=3d cache-size=1024KiB max-concurrent-queries=1000 max-concurrent-tcp-sessions=\
    2000


/ip firewall address-list
add address=192.168.2.0/24 list=192.168.2.0/24
add address=192.168.5.0/24 list=192.168.5.0/24
add address=192.168.10.0/24 list=192.168.10.0/24
add address=192.168.20.0/24 list=192.168.20.0/24
add address=192.168.30.0/24 list=192.168.30.0/24

/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid log-prefix=drop-invalid_
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface=ether1
add action=drop chain=input comment="Drop DNS requests from WAN UDP\
    \n" connection-state="" dst-port=53 in-interface=ether1 protocol=udp
add action=drop chain=input comment="Drop DNS requests from WAN TCP" connection-state="" dst-port=53 in-interface=ether1 \
    protocol=tcp
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=input comment="Allow DNS from LAN/VLAN" dst-port=53 in-interface-list="all lan/vlan" protocol=tcp
add action=accept chain=input comment="Allow DNS from LAN/VLAN" dst-port=53 in-interface-list="all lan/vlan" protocol=udp
add action=accept chain=input comment="Allow DNS requests from all (LAN/VLANs)subnets for UDP" disabled=yes dst-port=53 \
    protocol=udp src-address=192.168.0.0/16
add action=accept chain=input comment="Allow DNS requrests from all (LAN/VLANs) subnets TCP" disabled=yes dst-port=53 \
    protocol=tcp src-address=192.168.0.0/16
add action=drop chain=forward disabled=yes dst-address=192.168.2.0/24 src-address=!192.168.2.0/24
add action=drop chain=forward comment="Drop all inter vlan traffic\
    \n" disabled=yes in-interface-list=vlan log-prefix=INTER-VLAN-DROP out-interface-list=vlan
add action=accept chain=forward

/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN

Please tell me I’ve done something really silly… :disappointed_face:

4

Why do you have ingress filtering on all bridge ports except ether8? Not that it matters just seems quirky.

Whilst looking at the config, I will say this.
I personally DO NOT get the bridge to have anything to do with DHCP etc.
At home I created vlan 100 for example and that goes to all my home trusted users.

IN your case, add name=dhcp ranges=192.168.2.2-192.168.2.254, becomes part of VLAN100, home or base or management vlan whatever you want to call it, and make the necessary modifications, very minor.
The biggest difference will be in the Bridge VLAN settings.

/interface bridge vlan
add bridge=LanBridge tagged=ether7,ether8,ether9,ether10,LanBridge untagged=ether3,ether4 vlan-ids=30
add bridge=LanBridge tagged=ether7,ether8,ether9,ether10,LanBridge vlan-ids=5
add bridge=LanBridge tagged=ether7,ether8,ether9,ether10,LanBridge vlan-ids=10
add bridge=LanBridge tagged=ether7,ether8,ether9,ether10,LanBridge vlan-ids=20
add bridge=LanBridge tagged=ether2,ether4,ether5,ether6,ether7,ether8, SFP,LanBridge vlan-ids=100

Or something like that, assuming that all of those ports are going to smart devices such as switches, smart APs etc..
IF not then lets take ether8 goes to a LAN PC…
add bridge=LanBridge tagged=ether2,ether4,ether5,ether6,ether7,SFP,LanBridge untagged=ether8 vlan-ids=100
(and of course would have to change Bridge port setting appropriately as well for ether8).

5

Okay I am just comparing line by line to my config…
/ip dhcp-server
add address-pool=dhcp disabled=no interface=LanBridge name=defconf
add address-pool=dhcp_pool5 disabled=no interface=VLAN5 lease-time=3d name=dhcp5 src-address=192.168.5.1
add address-pool=dhcp_pool10 disabled=no interface=VLAN10 lease-time=3d name=dhcp10 src-address=192.168.10.1
add address-pool=dhcp_pool20 disabled=no interface=VLAN20 lease-time=3d name=dhcp20 src-address=192.168.20.1
add address-pool=dhcp_pool30 disabled=no interface=VLAN30 lease-time=3d name=dhcp30 src-address=192.168.30.1

and mine
ip dhcp-server
add address-pool=dhcp-HomeLAN disabled=no interface=Home-LAN_V22 lease-time=
2d name=HoMeLAN
add address-pool=dhcp_SDcap1 disabled=no interface=SmartDev_cap1_V40
lease-time=2d name=SmartDServer1

What stands out LOL.
I have never seen addresses in the server, could be fine, I am just pointing out I dont use it and have NEVER seen it done.
If you dont need it, get rid of those, I dont even see an entry for that in winbox??? Very perplexing!!

6

Another thing I see rarely used and if used causes issues…
/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-vlan=yes

Why did you set it (specific reason)? In most cases one simply uses the IP firewall rules!!!

7

I actually detest configs where people mix input chain and forward chain… argggg.
Also you actually put a name of interface with quotes as part of name, which really hurts my eyes as quotes are used for COMMENTS!!
Thus change the name to remove quotes.
I also removed any DNS rule that you had disabled, less noise for me to look at!!!
I removed the drop DNS rules after that, not sure what there purpose is and it makes for a very ugly looking set of complex dns rules not required see below for simple, clean
I added an allow admin access to the router so YOU can configure it before I add the last rule
I added as the last rule - a drop rule so that ANY Other traffic is dropped. Note admin access rule has to be in place first!!!

/ip firewall filter (INPUT CHAIN)
add action=accept chain=input comment=“defconf: accept established,related,untracked” connection-state=
established,related,untracked
add action=drop chain=input comment=“defconf: drop invalid” connection-state=invalid log-prefix=drop-invalid_
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=accept chain=input comment=“Allow DNS from LAN/VLAN” dst-port=53 in-interface-list=“all lan/vlan” protocol=tcp
add action=accept chain=input comment=“Allow DNS from LAN/VLAN” dst-port=53 in-interface-list="all lan/vlan" protocol=udp
add action=accept chain=input in-interface-list=AS REQUIRED source-address-list=adminaccess ***
where *** is a list of your fixed static LANIP for the devices you use to configure the router , ie desktop IP on vlan100, laptop IP used on vla100 and on vlan 5, ipad IP used on vlan100 and vlan 20
etc…
add action=drop chain=input comment=“drop all else”


Okay on the forward chain I removed any disabled rules as they were getting messy and a clean approach is best.
I added the default rule missing to drop invalid packets.
I added the last drop rule to prevent any other traffic.


/ip firewall filter (FORWARD CHAIN)
add action=accept chain=forward comment=“defconf: accept established,related, untracked” connection-state=
established,related,untracked
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack” connection-state=established,related
add action=drop chain=forward comment=“defconf: drop invalid” connection-state=invalid log-prefix=drop-invalid_
add action=drop chain=forward comment=“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat
connection-state=new in-interface=ether1
{Here is where you put all the rules you wish to allow see below for examples}
add action=drop chain=forward comment=“drop all else”

for ex. access to a common printer allow users on vlan 5 to access a printer on vlan100
for ex. allow vlans to the internet
for ex. allow admin from vlan100 (base lan) access the other vlans

8

I salute you sir! Thank you. I am working today, but either tonight or tomorrow I’m going to implement / review every single thing you’ve suggested and report back. I think you’ve highlighted at least two, if not more, major issues that could be at the root of this. Will revert.

9

Well that was a relief. It worked!!! I haven’t been told off like that since I was at school but you’ve taught me some very important lessons and I’m sincerely grateful.

I’ve implemented all your changes so can’t point to which suggestion(s) specifically fixed it but I was potentially looking in the wrong place. I was obsessed with the bridge Vlan filtering but the firewall changes were likely to be the issue. I’d overlooked the thing staring me in the face.

I’d urge everyone who reads this to pay heed to your advice and don’t assume you know what the problem is.

Thank you once again!

10

Awesome, there is nothing like the feeling of a working config!!